By Mr. Andrew Fulton, Mr. Keith Ramsey and Mr. Thomas Quigley, DIBCSOMarch 16, 2018
When it comes to protecting classified information, military personnel, civilians and contractors know the rules by heart. And if they don't, required annual or semiannual retraining reminds everyone of the rules.
But for at least one category of unclassified information, those rules become murky. This sometimes overlooked aspect of maintaining U.S. technological superiority is a growing concern as global access to the internet increases and cyberattacks become more sophisticated and commonplace.
In February, Deputy Secretary of Defense Patrick M. Shanahan suggested new regulations may be set to ensure that industry partners better secure their computer networks and the information residing on those networks. "We want the bar to be so high, it becomes a condition of doing business," Shanahan said at the annual 2018 WEST Conference in San Diego.
The security challenge is particularly complex when it comes to what is known as controlled technical information (CTI). This unclassified information can, by itself or when aggregated, provide significant insight into U.S. Army capabilities. CTI is often information used in the design, production, manufacturing, development, testing, operation or maintenance processes of goods or materiel with military applications. More specifically, according to DOD, this critical information can include research and engineering data, engineering drawings, specifications, manuals, technical reports and even catalog-item identifications or source code.
Developed and used in support of DOD acquisition programs, CTI is vulnerable to loss by traditional and nontraditional intelligence collection because it is unclassified. When enough CTI is lost, that can significantly degrade U.S. Army technological superiority and the resultant military capability, undermining modernization efforts.
CTI exists on both DOD-owned and contractor-owned systems and networks. With a growing threat from nation-state and nonstate actors to infiltrate private computer networks and gain access to CTI, the manufacturing and innovative edge that the U.S. currently holds could be in jeopardy. In FY17 alone, cyber actors compromised at least 2.4 terabytes of DOD information residing on unclassified networks at companies that are part of the defense industrial base.
Now, DOD is approaching the problem from a fresh perspective. A new reporting requirement that went into effect earlier this year aims to track the damage comprehensively. At the same time, the Army is working proactively to protect the information from getting out in the first place. For program managers (PMs) and program executive officers (PEOs), the challenge is to accurately identify and protect CTI while meeting cost, schedule and performance objectives without any degradation of requirements supporting the Soldier.
DOD efforts to mitigate cyber intrusions into the defense industrial base date to 2007, when the department first established a voluntary cybersecurity information-sharing program, the Defense Industrial Base Cyber Security (DIB CS) Program.
With the purpose of enhancing and supplementing the ability of defense industrial base companies to safeguard DOD information that resides on or travels through their unclassified information systems, the program created a process for voluntarily reporting cyber intrusions on their unclassified networks. This marked the first joint effort between defense industrial base companies and DOD to identify and assess compromised unclassified program information that ultimately could put the warfighter at risk.
The information gathered by the DIB CS Program gave DOD insight into the scope of damage to unclassified technical information and patterns of compromise. But it was still voluntary--meaning that DOD could obtain only limited insight into the total loss of information within the defense industrial base.
WIDENING THE NET
The voluntary has since become mandatory. A clause amending the Defense Federal Acquisition Regulation Supplement (DFARS) took effect on Nov. 18, 2013, requiring all companies doing business with DOD to report any instances of possible exfiltration, manipulation or other loss or compromise of unclassified CTI. At the same time, these companies must also provide adequate cybersecurity measures to protect CTI on their unclassified information systems from unauthorized access and disclosure. Any DOD information compromised in cyber incidents must go through a specified damage assessment, originally established for voluntary incident reporting.
To address the appropriate level of security, DOD, in coordination with the National Institute of Standards and Technology, published a full list of security controls in "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations." Companies are now required to be in full compliance with these security controls, which went into effect Jan. 1, 2018.
However, recognizing that reactive reporting could only go so far, DOD also determined that there was a need for a strategic effort to address data losses. To supplement the reactive reporting, the department established a joint analysis capability, known as the Joint Acquisition Protection and Exploitation Cell (JAPEC), to integrate existing acquisition, intelligence and law enforcement and counterintelligence data, analysis, processes and tools to protect unclassified CTI in DOD's most critical programs and technologies.
A TERABYTE OF PREVENTION
JAPEC is set up to proactively mitigate future losses and exploit opportunities to deter, deny and disrupt adversaries that threaten U.S. military advantage by accessing unprotected CTI. It aims to prevent DOD data compromise by increasing the sharing of data and information deemed highly advantageous to potential adversaries across the acquisition, intelligence, security, law enforcement and counterintelligence communities.
For example, DOD organizations may share a technology related to a missile system. One service identifies this technology as CTI and develops countermeasures designed to lower the risks of compromise by the adversary. That service then shares this information with the JAPEC community, providing all involved organizations with situational awareness and ultimately raising the ability to thwart adversary attacks.
At the Army level, the assistant secretary of the Army for acquisition, logistics and technology (ASA(ALT)) is leading a JAPEC Army working group to focus critical resources and leverage existing program protection processes to enhance protection of CTI. The working group, with participation from Army G-2, G-3/5/7, the U.S. Army Acquisition Support Center, the System of Systems Engineering and Integration Directorate (SOSE&I), the deputy assistant secretary of the Army for research and technology, and PEOs, is designed to integrate stakeholder activities and resolve policy and process issues. The working group's initial actions resulted in an ASA(ALT) policy memorandum assigning roles and responsibilities for identifying and protecting unclassified CTI.
Also within ASA(ALT), the Army Defense Industrial Base Cyber Security Office (DIBCSO) is responsible for coordinating the proactive protection of Army CTI through the JAPEC. Each year, ASA(ALT) develops a critical programs and technologies (CP&T) list to facilitate this process. The list prioritizes key Army programs and technologies identified by Army PEOs, PMs and science and technology project managers.
The CP&T list includes program, project and technology names and descriptions, contract numbers and contractor cage codes--short ID numbers that provide a standard method of identifying contractors and their facilities. This information is cross-checked with JAPEC to determine if the systems or technologies have been threatened or compromised elsewhere across DOD. This provides PEOs and PMs access to a wide array of intelligence threat reporting, law enforcement and counterintelligence reports and security information with which they can make informed risk management decisions. For example, if a hacker breached the system of a Marine Corps contractor and obtained data related to a joint program, Army stakeholders would know quickly and could then take steps to prevent further intrusion and damage.
To further assist PMs, the Office of the Undersecretary of Defense for Research and Engineering will soon publish a DOD directive that establishes policy and assigns responsibilities to assess technical information losses and determine consequences. In the interim, ASA(ALT) drafted a policy memorandum and implementation plan that defines the roles and responsibilities for the Army acquisition community to identify and protect CTI. Additionally, DIBCSO is educating all Army PEOs on the JAPEC and their responsibility to identify and protect CTI.
With the increasing reliance on technology as a vital part of Army modernization, DOD and the Army will continue to be the target of adversaries' efforts to collect CTI. Because most technical data resides on unclassified, non-DOD networks, traditional methods of protection are no longer sufficient.
The DOD JAPEC is helping to thwart these attempts by developing a system that makes it easier for DOD stakeholders to increase information sharing, collaboration, analysis, risk management and protection. Through this work, JAPEC strives to evolve current practices from reactionary to proactive, with the end goal of preventing degradation of the U.S. advantage in the battlespace.
SOSE&I continues to work with JAPEC to establish Army processes and methodology that can be consistently applied across all Army critical programs and technology. Effective processes and methodology are key to ensuring that we deny our adversaries access to our most critical unclassified CTI and, as a result, retain our innovative capabilities.
This article will be published in the April -- June 2018 Army AL&T magazine.