WASHINGTON — The Pentagon should refocus cybersecurity efforts on human defenders instead of primarily relying on new technologies to protect networks, the department’s weapon tester asserted in its annual report.
Automated tools are sometimes necessary to thwart cyberthreats that attack networks at so-called machine speed. But the dynamic nature of these threats requires a combined approach using humans and machines together.
“[C]yber assessments and operational tests continue to show that where systems or networks are actively defended by well-trained personnel in environments employing Zero Trust concepts, Red Teams emulating cyber actors have difficulty degrading critical [Department of Defense] missions,” read the fiscal 2021 annual report of the Office of the Director, Operational Test and Evaluation
Zero trust refers to a mindset that assumes networks are already compromised and continuously validates users, devices and data. It is not a single entity, but rather an architecture deploying a series of tools across the network.
In examining combatant command and service exercises from FY14 through FY20, DOT&E noted the importance of defending every stage of a cyberattack, particularly where an adversary moves within a network to find an objective, which can pose detection challenges for human cyber defenders.
Emerging technologies such as Office365′s cloud environment and zero-trust architectures promise to increase defender visibility into these attacks, the report said.
Network tools are good at tipping off human operators that something malicious might be afoot. These human operators are then best suited to use their reasoning skills to actively hunt, or search on the network for potential threat actors.
“Some of the greatest innovations in cybersecurity in recent years involve the use of advanced technologies like artificial intelligence/machine learning to radically improve the speed and efficacy of threat detection and prevention,” said Robert Sheldon, director of public policy and strategy at cybersecurity firm CrowdStrike. “But even for organizations leveraging the most sophisticated tools, people still comprise an essential layer of defense. Whether performing novel research, interpreting context around weak or ambiguous signals, or conducting hypothesis-driven threat hunting, human defenders are key.”
John Davis, who served as a senior military adviser for cyber at the DoD, praised the refocus on people, but said it’s “just as important to recognize the impact that modern innovations in both technology and processes are having on the skills that today’s modern cyber defenders need to be successful.”
“Automation tools can relieve [security operations center] analysts of hours of wearisome and mundane tasks, giving them time to develop and document processes for the complex work they perform and allowing them to respond to new or complex threats that are coming across attack surfaces,” said Davis, who is currently vice president of the public sector for cybersecurity specialist Palo Alto Networks. “Automating processes to account for innovations in best practices and threat intelligence sharing can help ensure that junior analysts have the correct insight to make the best determination as quickly as possible and flag issues for more experienced analysts.”
DOT&E recommended the department refocus cybersecurity efforts on people rather than technology alone. This includes doctrine, organization and training to ensure personnel can use technology to thwart intrusion attempts.
“Cybersecurity must be built into system design and the human defender should be included early on in cyber defense engineering and programmatic priorities for both system usability and training,” the report stated. “Cyber defenders can and should include dedicated mission defense teams, system users, response-action teams, commanders and network operators, all of whom should be trained and equipped to fight though cyberattacks to complete critical missions.”
The Air Force in recent years has transitioned its communications squadrons into groups of cyber defenders called mission defense teams, offloading the mundane day-to-day information technology and network-related responsibilities to the commercial sector. These teams, which differ from cyber protection teams that each armed service provides to U.S. Cyber Command, are specialized groups that protect critical Air Force missions and installations such as critical infrastructure or computers associated with aircraft and remotely piloted systems.
The Army, for its part, is working to improve the ability of its local network defenders, which will bolster its cybersecurity posture. The effort stems from its unified network plan, which aligns various modernization efforts to provide a network the service needs to share data from the enterprise to the tactical sphere in support of multidomain operations.
Specifically, the Army wants to establish roles and responsibilities at each echelon for the cybersecurity operators that actually own their own network terrain.
Currently, the Army and joint force are not optimized holistically to conduct cybersecurity operations, officials have said, which is largely because there are varying levels of responsibilities, standards and tasks for cybersecurity service providers, the local or installation level network operators, and defenders.
This has created the need to deploy the very high-end and limited cyber protection teams.
The new plan aims to get cyber protection teams back to doing what they do best: hunting on networks and focusing on threats.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.