Transcript CYBER DOMAIN Situational Awareness

CYBER DOMAIN Situational
Awareness
AFCEA, San Antonio, TX
7 June 2011
Robert J. Carey
DEPUTY ASSISTANT SECRETARY OF DEFENSE
(Information Management, Integration, and Technology)
& DoD DEPUTY CHIEF INFORMATION OFFICER
(703) 614-7323
[email protected]
Areas for Today’s Discussion
• DoD Cyber Landscape/Situation
• DoD Cyber Strategy
• DoD CIO – CYBERCOM Relationship
• Cyber Intelligence
• Challenge of Situational Awareness
• Initiatives
• The Way Ahead
2
DoD Network Landscape
IT Systems
DoD IT User Base
• ~10,000 Operational systems
• 1.4 million active duty
• 750,000 civilian personnel
(20% mission critical)
• >772 Data Centers
• ~67,000Servers
• ~7+ million computers and IT
• 1.1 million National Guard
and Reserve
• 5.5+ million family members
and military retirees
devices
• 146 + countries
• 6,000 + locations
• 600,000 + buildings and
• ~15,000 networks
• Thousands of email servers,
firewalls, proxy servers, etc.
structures
Total IT Budget
• >$ 38 Billion in FY12
o >$16 Billion in IT Infrastructure
o >$2 Billion for Cyber Security
Problem
• Decentralized planning, standards, and operations
over the years
• Rapidly evolving technology
Has Resulted In
Defense Industrial Base
• 36 DIB partners
• 2650 Cleared Def Contractors
• Thousands of business partners
•
•
•
•
Increased Cyber vulnerabilities
Impediments to joint operations
Large cumulative costs
Inability to fully capitalize on information technology
3
Our Challenge
The warfighter expects/needs access to
information – from any device,
anywhere, anytime
4
Situation
•
Our vast current attack surface cannot be defended well
•
Absolute reliance upon networks to accomplish our
National Security mission
•
Our Networks are complex and expensive
to defend and maintain
•
USG and Industry largely in the same situation
•
Defense Cyber Crime Center (DC3) and the DIB are our
intelligence information sharing platforms via DIBnet
•
Partnership with Intelligence Community essential
Need Greater Connectivity, Agility, And Flexibility
5
DoD’s Cyber Strategy
5 Pillars
• Cyberspace as a domain
• New defense operating
concepts
• Extending cyber defenses
• International partners
• Technology and innovation
Get In Front of the Threat
6
DoD CIO – USCYBERCOM
Relationship
DoD CIO
USCYBERCOM
Establishes policies, processes, and
standards for ensuring information
delivery and authorized access.
Operates and defends DoD’s elements of
cyberspace to leverage emerging
technologies and to counter evolving threats.
• Policies
• Processes
• Standards
DoD CIO
USCYBERCOM
• Operational Requirements
• Emerging Threats
• Effectiveness Measures
DISA
Operational Orders
DoD
Components
7
Cyber Intelligence
Collection & Analysis of Data from All
Sources
• Understanding of Internet, Networks and Integration
• Indications and Warnings
• Existing Situational Awareness Tools
• Develop new tools
• Internet ‘Data-Mining’
Synthesis & Analysis of Data
• Integrate Information into ‘Actionable Decisions’
• Common Operating Picture a must
Framework for I&W and SA Sharing
• Across DOD, USG, Defense Industrial Base (DIB) a model
• Mechanism for Management & De-confliction
• While protecting sensitive information
USG
DoD
DIB
8
Cyber Intelligence
• Definitional Attributes:
– Timely network activity information
• Proactively managed to allow operational commanders maneuver space
– Trusted network activity information
• Combination of all source and organic sensor information
– Actionable
• Enables risk based decisions and actions
– Defensive and Offensive
9
DoD IT Strategy and Roadmap
Goals
Secretary of Defense Efficiencies
Key Benefits
• Unity of effort
• Do more with less
• Reduce acquisition,
procurement and
sustainment cost
• Improve IT cost
awareness
• Eliminate redundant
effort and cost
Are our IT
systems working
for us?
Effectiveness
Improve mission
effectiveness and
combat power
throughout the
Department
Efficiency
Reduce
duplication in the
DoD IT
Infrastructure, and
deliver significant
efficiencies across
the Department
Cyber
Security
Improve the
security of DoD
networks and
information from
all threats
Key Benefits
• Unify command and control of
critical networks
• Detect and eliminate malicious
activity
• Validate access to information
based on enterprise identity
and user attributes
Key Benefits
• Unity of command
• Consistent and
improved user
experience
• Rapidly deliver new
business and mission
capabilities
• Increase
interoperability with
in -place systems
• Global access to
needed information
• Improve availability
and reliability
Are we using our
resources
efficiently?
Are our IT
systems
secure?
Enterprise Approach
Is Critical
DoD IT infrastructure optimization goals are directly tied to a CIO’s
“Three Core Questions”
10
IT Infrastructure Consolidation
Initial Actions
1. Data Center consolidation
2. Network Standardization / Optimization
3. Enterprise Identity Management – secure authentication to
network and data – drive anonymity from networks
4. Enterprise Email – Single global directory service (Single
DoD “Phone Book”)
5. Enterprise Hardware/Software Contracts & Procurement Leverage Department’s buying power
Reduce footprint, simplify architecture, increase our ability to defend
11
Network Optimization
12
Enterprise-Wide CND Initiatives
Implementing a broad set of initiatives for Computer Network Defense:
•
Trust based Certification and Accrediation
•
•
•
•
•
Situational Awareness Capabilities
Host-Based Security System (HBSS)
Defense Industrial Base (DIB) Support
Supply Chain Risk Management (SCRM) strategy
Insider Threat Mitigation
•
Continuous Monitoring
•
•
•
Secure Configuration Management
Demilitarized Zones (DMZ)
•
•
•
Web Content Filtering
E-Mail Security Gateway
DNS Hardening
Network Scanners
Partnering in key areas with the IC, Combatant Commands,
Services, DoD Agencies and Industry
13
Challenge of ‘Situational
Awareness’
• Information necessary for a Cyberspace Common Operational Picture
(COP) supporting Situational Awareness (SA) and enabling C2 decision
making comes from disparate Indications & Warnings (I&W) sources
– Diverse set of capabilities making interoperability a challenge
– Legacy point-to-point interfaces inhibiting information sharing
– Synthesis of “Internet ” feeds (Data Mining) is essential to feed a COP and
understand the environment
– Need validated requirements for a customizable unified community resource
for detection, analysis, or presentation
– Need a cohesive ‘Data Strategy’ linked to net as part of network optimization
Must Overcome Obstacles to Information Access & Sharing
14
Situational Awareness
Initiatives
• Seeking to leverage technologies to create
a net centric architecture which easily allows
current and future, unintended, data sources
to be combined and utilized for SA:
– Continuous Monitoring (CM)
• Secure Configuration Management (SCM)
• Host Based Security System (HBSS)
– Identity Management – PKI enablement
– Situational Awareness - Global NetOps
Information Sharing Environment (GNISE)
– Internet Data Mining – In combination with
CM
Allow for more balanced Risk Management
15
Developing Situational
Awareness Capabilities
Mission Needs
Strategic
Tactical
Communities
Operational
Civilian
IC
Coalition
Info Sharing
Shared SA
Enterprise 2.0 for NetOps SA
Web
Services
DIB CS/IA Data
DISA NetOps Data
Reports
Dashboards
Data Streams
Data Visualization
Service Mashup
User Interface
DIBNet
Information
Portal
Integration
User Interface
Integration
Data Analytics / Service Gadgets
NetOps SA Data
DC3
Data
Sources
Other
Data
Sources
CND UDOP
cd JIMS
Data Mining
Transition
Enterprise Services
(Auth, Messaging, Cross Domain)
Web
Services
NetOps
Apps
Custom
Data
Sources
JCD
SIM
GNA, GEM, GCM, CIP Data Sources
CDC
Web
Services
Custom
Data
Sources
JCD Data
16
The Way Ahead
• Pursue our goal of affording secure access to
information for the warfighter from any device
• Our strategy is to consolidate and standardize
elements of the networks to more effectively defend
them and confront threats with agile information
sharing
• Our focus is to embed the policies, procedures,
oversight, and culture that enable information sharing
into the Defense community and its mission partner
• Continue to leverage extensive and unprecedented
capabilities afforded by the Information Age
• Continue to partner with industry to deliver National
Security in Cyberspace
We are creating an information advantage.
17
How Can You Help?
• Ask hard questions
• Leverage your best and
brightest
• Innovate
• Help us find lasting
solutions that scale
• Be part of our success
Partnership
18
Agile and secure information capabilities to
enhance combat power and decisionmaking.
Robert J. Carey
DEPUTY ASSISTANT SECRETARY OF DEFENSE
(Information Management, Integration, and Technology)
& DOD DEPUTY CHIEF INFORMATION OFFICER
(703) 614-7323
[email protected]
19
Back Up Slides
Back Up
20
Defense Industrial Base
Network (DIBNet)
• A classified and unclassified collaboration and information sharing
capability for DoD and Defense Industrial Base (DIB) partner use.
– To protect sensitive DoD data residing in Defense contractor facilities.
– To develop and deploy a secure infrastructure for DoD to exchange
threat products and to collaborate with DIB partners in a timely fashion
in defense of their network assets.
DIB CS/IA Data
DoD
 DoD CIO runs the DIB Cyber Security/IA Program.
User Interface
DIBNet
DC3
Data
Sources
Other
Data
Sources
 Defense Cyber Crime Center (DC3) provides the
threat products and incident analysis capability.
 2650 Cleared Defense Contractor companies are
the targeted users of DIBNet capabilities.
21
Continuous Monitoring (CM)
•Continuous monitoring is
maintaining ongoing awareness to
support organizational risk
decisions.
•CM unifies existing disparate
capabilities of operational
management and control to build out
a robust and integrated solution for
decision processes.
22
Host Based Security System
(HBSS)
23
Secure Configuration
Management (SCM)
Optimization
Automation
Innovation
• SCM is the integration and optimization of
enterprise IA applications, Services, Policy, and
standards in to a multi-tiered architecture
• SCM automates risk management processes that
are manual today
• SCM supports the delivery of Continuous
Monitoring and Advanced Threat Analysis and Risk
Scoring
Configuring assets securely in
the first place
Maintaining secure
configuration
Providing continuous
situational awareness to the
right people
24
Identity Management
• Goal: All applications and systems
use a single trusted database of all
DoD employees
• Approach:
– Utilize the DMDC and Database
– PKI authentication
– Develop policies and processes
– Cyber security credentialing
– Enterprise Email
25
DoD CIO Approach
• Customer Focus - “The warfighter expects access…”
• Centralized Guidance - Responsible for “standardization”
• Collaboration Emphasis - Partnerships and stakeholders
• Consolidated Effort - Enterprise solutions
• Capability Investment - The right talent and expertise
26
Purpose (TEMP Slide)
While USCYBERCOM must be focused on the now/near-term and strategic ,
DoD CIO must work to ensure that optimal policies, guidance and
oversight is in place to design, acquire and operate Networks that map
themselves, continuously sense and report all normal and abnormal
activity levels, and provide a global Common Operational Picture of key
data sets that can truly provide current Situational Awareness and
Indications and Warning of future threat vectors.
Focus Questions:
•
What enterprise wide initiatives are you working to provide real-time
and near term insights into threats to the DOD Cyber Domain?
•
In what key areas are you partnering with USCYBERCOM to ensure that
unclassified Cyber Intelligence is collected, analyzed and appropriately
disseminated across DOD and the DIB?
•
How does DOD CIO define Cyber Intelligence?
27
OSD/CIO Mission
Bring the power of information to the achievement of mission success in all
operations of the Department; war fighting, business, and intelligence.
 Lead the Department in achieving a persistent and dominant information
advantage for ourselves and our mission partners.
 Lead the Department in changing those policies, processes, and culture
necessary to provide the speed, accuracy, and agility to ensure mission
success in a rapidly changing and uncertain world.
 Ensure a robust and secure information environment.
 Provide modern command and control capabilities through persistent
collaboration at all levels and among all mission partners.
 Acquire new information capabilities rapidly (9-12 months) and at low cost
by delivering them as enterprise services.
28
CIO Major Areas of Activity
• Policy Development – The establishment of the direction and
expectations to ensure a Defense Information Enterprise capable of
accessing information, sharing it, and collaborate to achieve mission
success.
• Program Oversight – The leadership and expertise that provides
the recommendations for effective IT investment, avoid duplicative
efforts, prevent capability gaps, and ensure the tenants of net
centricity are adhered to.
• Acquisition Support – The guidance and oversight needed to
ensure IT programs adhere to acquisition directives, meet
information sharing expectations, and quickly progress to fielded
capabilities.
29
Refashioned DoD CIO
• Customer Focus – “The warfighter expects access…”
• Centralized Guidance – CIO responsible for “standardization”
(policy, architecture, standards, governance)
• Collaboration Emphasis – Renewed emphasis on partnerships
and stakeholders (MILDEPS, DISA, USCC, AT&L, DCMO, USD(P),
Industry, Academia)
• Enterprise Effort – Enterprise approaches; improved security
• Competence Priority – Get the right talent; leverage DISA
technical expertise
30
Enterprise Wide Initiatives
 Enterprise Services – Secure access to the data
 Data Strategy – Tag and share the data
 Information Transport – Securely move the data
 Information Assurance – Keep it dependable
 Net Ops – See and manage the networks & data
Partnering in key areas with Combatant Commands,
Services, DoD Agencies and the commercial sector
31
Link to Mission
• Success is dependent upon our ability to connect people with
information anytime, anywhere
• The DoD CIO is responsible for ensuring the delivery of critical
enabling capabilities that:
– Allow information to be accessed and shared
– Ensure partners can collaborate
– Support decision makers at all levels to make better decisions
faster and to take action sooner
Information must be given the same priority and
protection as any mission critical system or platform.
32