CYBER DOMAIN Situational Awareness AFCEA, San Antonio, TX 7 June 2011 Robert J. Carey DEPUTY ASSISTANT SECRETARY OF DEFENSE (Information Management, Integration, and Technology) & DoD DEPUTY CHIEF INFORMATION OFFICER (703) 614-7323 robert.carey@osd.mil

Areas for Today’s Discussion DoD Cyber Landscape/Situation DoD Cyber Strategy DoD CIO – CYBERCOM Relationship Cyber Intelligence Challenge of Situational Awareness Initiatives The Way Ahead

Defense Industrial Base DoD Network Landscape IT Systems DoD IT User Base 1.4 million active duty 750,000 civilian personnel 1.1 million National Guard and Reserve 5.5+ million family members and military retirees 146 + countries 6,000 + locations 600,000 + buildings and structures ~10,000 Operational systems (20% mission critical) >772 Data Centers ~67,000Servers ~7+ million computers and IT devices ~15,000 networks Thousands of email servers, firewalls, proxy servers, etc. Total IT Budget Problem Decentralized planning, standards, and operations over the years Rapidly evolving technology Has Resulted In Increased Cyber vulnerabilities Impediments to joint operations Large cumulative costs Inability to fully capitalize on information technology >$ 38 Billion in FY12 >$16 Billion in IT Infrastructure >$2 Billion for Cyber Security Defense Industrial Base 36 DIB partners 2650 Cleared Def Contractors Thousands of business partners

Our Challenge The warfighter expects/needs access to information – from any device, anywhere, anytime Notes from Carey (ekw): Use the ESES example – lesson learned – architecture before you begin

Need Greater Connectivity, Agility, And Flexibility Situation Our vast current attack surface cannot be defended well Absolute reliance upon networks to accomplish our National Security mission Our Networks are complex and expensive to defend and maintain USG and Industry largely in the same situation Defense Cyber Crime Center (DC3) and the DIB are our intelligence information sharing platforms via DIBnet Partnership with Intelligence Community essential Need Greater Connectivity, Agility, And Flexibility

Get In Front of the Threat DoD’s Cyber Strategy 5 Pillars Cyberspace as a domain New defense operating concepts Extending cyber defenses International partners Technology and innovation Treating cyberspace as a domain Employment of new defense operating concepts Extending cyber defenses (DHS lead) Protect privacy and civil liberties Protect national critical infrastructure Supply Chain Risk Management International partners Technology and innovation Establish Strong public-private partnership Focus Research and Development efforts Leverage private sector innovation Implement “Security by design” Shorten development and acquisition cycles Recruit, train, and retain a Cyber cadre Get In Front of the Threat

DoD CIO – USCYBERCOM Relationship Establishes policies, processes, and standards for ensuring information delivery and authorized access. USCYBERCOM Operates and defends DoD’s elements of cyberspace to leverage emerging technologies and to counter evolving threats. Policies Processes Standards DoD CIO USCYBERCOM DoD CIO relies on USCYBERCOM to: Determine the operational effectiveness of policy Enforce policy compliance Share their knowledge of new capabilities or threats that require policy or guidance USCYBERCOM relies on the DoD CIO for policies and direction concerning information management, integration, technology, and security Operational Requirements Emerging Threats Effectiveness Measures Operational Orders DoD Components DISA

Cyber Intelligence Collection & Analysis of Data from All Sources Understanding of Internet, Networks and Integration Indications and Warnings Existing Situational Awareness Tools Develop new tools Internet ‘Data-Mining’ Synthesis & Analysis of Data Integrate Information into ‘Actionable Decisions’ Common Operating Picture a must Framework for I&W and SA Sharing Across DOD, USG, Defense Industrial Base (DIB) a model Mechanism for Management & De-confliction While protecting sensitive information USG DoD DIB

Cyber Intelligence Definitional Attributes: Timely network activity information Proactively managed to allow operational commanders maneuver space Trusted network activity information Combination of all source and organic sensor information Actionable Enables risk based decisions and actions Defensive and Offensive

Secretary of Defense Efficiencies DoD IT Strategy and Roadmap Goals Secretary of Defense Efficiencies Cyber Security Improve the security of DoD networks and information from all threats Efficiency Reduce duplication in the DoD IT Infrastructure, and deliver significant efficiencies across the Department Effectiveness Improve mission effectiveness and combat power throughout the Department Key Benefits • Unity of command Consistent and improved user experience Rapidly deliver new business and mission capabilities Increase interoperability with in - place systems Global access to needed information Improve availability and reliability Key Benefits • Unity of effort Do more with less Reduce acquisition, procurement and sustainment cost Improve IT cost awareness Eliminate redundant effort and cost Are our IT systems working for us? Are we using our resources efficiently? Are we using our resources efficiently? Are our IT systems working for us? Are our IT systems secure? Mission Effectiveness Benefits Unity of command Consistent and improved user experience Rapidly deliver new business and mission capabilities Increase interoperability with in-place systems Global access to needed information Improve availability and reliability Cyber Security Benefits Unify command and control of critical networks Detect and eliminate malicious activity Validate access to information based on enterprise identity and user attributes Efficiency Benefits Unity of effort Do more with less Reduce acquisition, procurement and sustainment cost Improve IT cost awareness Eliminate redundant effort and cost Key Benefits • Unify command and control of critical networks Detect and eliminate malicious activity Validate access to information based on enterprise identity and user attributes Are our IT systems secure? Enterprise Approach Is Critical DoD IT infrastructure optimization goals are directly tied to a CIO’s “Three Core Questions”

IT Infrastructure Consolidation Initial Actions Data Center consolidation Network Standardization / Optimization Enterprise Identity Management – secure authentication to network and data – drive anonymity from networks Enterprise Email – Single global directory service (Single DoD “Phone Book”) Enterprise Hardware/Software Contracts & Procurement - Leverage Department’s buying power Optimize/Reduce Number of Networks (NIPR/SIPR) Reduce footprint, simplify architecture, increase our ability to defend

Network Optimization

Enterprise-Wide CND Initiatives Implementing a broad set of initiatives for Computer Network Defense: Trust based Certification and Accrediation Situational Awareness Capabilities Host-Based Security System (HBSS) Defense Industrial Base (DIB) Support Supply Chain Risk Management (SCRM) strategy Insider Threat Mitigation Continuous Monitoring Secure Configuration Management Demilitarized Zones (DMZ) Web Content Filtering E-Mail Security Gateway DNS Hardening Network Scanners Initiated IT Acquisition reform efforts Initiated IT Consolidation efforts Implementing a broad set of initiatives for Computer Network Defense Insider Threat Vulnerabilities in the Defense Industrial Base (DIB) Network attacks & Host-Based Security System (HBSS) Federal-wide Supply Chain Risk Management (SCRM) strategy Partnering in key areas with the IC, Combatant Commands, Services, DoD Agencies and Industry

Challenge of ‘Situational Awareness’ Information necessary for a Cyberspace Common Operational Picture (COP) supporting Situational Awareness (SA) and enabling C2 decision making comes from disparate Indications & Warnings (I&W) sources Diverse set of capabilities making interoperability a challenge Legacy point-to-point interfaces inhibiting information sharing Synthesis of “Internet ” feeds (Data Mining) is essential to feed a COP and understand the environment Need validated requirements for a customizable unified community resource for detection, analysis, or presentation Need a cohesive ‘Data Strategy’ linked to net as part of network optimization DoD lacks an accurate, cohesive, near real-time depiction of the cyber environment thus limiting timely and effective decision making. Over 30 disparate SA data/information sources exist with no customizable unified community resource for detection, analysis, or presentation/COP capability essential to gauge operational readiness by CYBERSOM , COCOMs, Services and Agencies. Data necessary for SA success exists on multiple networks, several of which are inaccessible to the SA and C2 decision maker community. A lack of JROC vetted/validated requirements upon which to select solutions at this point. Currently no central list of validated requirements, just ‘ideas’.   Lack of a “Data Strategy”: CYBERCOM continues to work with DISA and the CC/S/As on the data strategy problem. Whereas no one solution will meet all requirements, no one data source will provide the answer. Current data strategy efforts include identification of Cyber SA/COP/I&W effects, information, data, and data elements necessary for success, and the elimination/realignment or resources from no longer identified or duplicative data to identified resources critical to mission success. DISA and USCC will continue to work the data strategy effort with the community. How do we integrate current initiatives, leverage dollars and move forward with increased capabilities? Must Overcome Obstacles to Information Access & Sharing

Situational Awareness Initiatives Seeking to leverage technologies to create a net centric architecture which easily allows current and future, unintended, data sources to be combined and utilized for SA: Continuous Monitoring (CM) Secure Configuration Management (SCM) Host Based Security System (HBSS) Identity Management – PKI enablement Situational Awareness - Global NetOps Information Sharing Environment (GNISE) Internet Data Mining – In combination with CM Host Based Security System (HBSS) baseline is a flexible, commercial-off-the-shelf (COTS)-based application. It monitors, detects, and counters against known cyber-threats to Department of Defense (DoD) Enterprise. Under the sponsorship of the Enterprise-wide Information Assurance and computer Network Defense Solutions Steering Group (ESSG), the HBSS solution will be attached to each host (server, desktop, and laptop) in DoD. The system will be managed by local administrators and configured to address known exploit traffic using an Intrusion Prevention System (IPS) and host firewall. DISA PEO-MA is providing the program management and supporting the deployment of this solution. Allow for more balanced Risk Management

Developing Situational Awareness Capabilities Strategic Operational Tactical Civilian IC Coalition Mission Needs Communities Shared SA Info Sharing NetOps SA Data Data Analytics / Service Gadgets Information Portal Enterprise 2.0 for NetOps SA Web Services Dashboards Reports Data Streams Data Visualization Service Mashup DIBNet DC3 Data Sources DIB CS/IA Data User Interface Integration Other Data Sources DISA NetOps Data User Interface CND UDOP cd CND UDOP - Moving into the GNISE with other capabilities like JIMS, to provide the overall pictures of NetOps activities. CND User Defined Operational Picture (CND UDOP) - Provides CND Tier I & II Users the situational awareness visualization of correlated IA/CND activities from multiple DoD data sources including asset inventory and incident reports. Joint Incident Management System (JIMS) – Incident Management module Module integrated into the GNISE framework Provides bi-directional data exchange for CC/S/A CND Incident Reports Global NetOps Information Sharing Environment (GNISE) - Common architecture framework for integrating, normalizing, and processing NetOps information from GIG resources to provide shared Situational Awareness. - Pilot provides GNISE framework and initial Joint Incident Management capability. - Not an approved Program of Record for SA. Defense Industrial Base Network (DIBNet) – Is a classified and unclassified collaboration and information sharing capability for DoD and Defense Industrial Base (DIB) partner use. Interfaces with the GNISE framework, objective is to protect sensitive DoD data residing in Defense contractor facilities. To develop and deploy a secure infrastructure for DoD to exchange threat products and to collaborate with DIB partners in a timely fashion in defense of their network assets. DIBNet-U is an unclassified web portal that includes a registration process, document libraries, collaboration tools, and a reporting feature. This is a PKI protected web portal that requires a user to have or obtain DoD-approved medium assurance certificates. DIBNet-S enables classified communications at the Secret level. DIBNet-S in current state is a hub and spoke architecture operated at/by the DoD Cyber Crime Center (DC3). As part of the DIBNet program, DIBNet-S will be hosted and sustained by DISA, and include improved functionality. Hosting on DISA infrastructure is critical to ensure scalability and continuity of operations. To the fullest extent possible, DIBNet-S should have the same look and feel as DIBNet-U.  Integration JIMS Data Mining Custom Data Sources GNA, GEM, GCM, CIP Data Sources Web Services Enterprise Services (Auth, Messaging, Cross Domain) NetOps Apps SIM CDC Transition Custom Data Sources JCD Data Web Services JCD

We are creating an information advantage. The Way Ahead Pursue our goal of affording secure access to information for the warfighter from any device Our strategy is to consolidate and standardize elements of the networks to more effectively defend them and confront threats with agile information sharing Our focus is to embed the policies, procedures, oversight, and culture that enable information sharing into the Defense community and its mission partner Continue to leverage extensive and unprecedented capabilities afforded by the Information Age Continue to partner with industry to deliver National Security in Cyberspace - “Uncertainty” of the 21st Century - in terms of threats, opportunities, adversaries, operations, and partners. DoD CIO and CYBERCOM working to integrate capabilities and data sources into a community resource that provides a GIG wide COP enabling SA and C2 decision making. Several efforts coming to fruition, but there are ‘gaps’. No one initiative meets all ‘requirements’. No one data source will provide the answer. Continuing to orchestrate the development of a ‘Data Strategy.’ Elimination/Realignment of obsolete resources or duplicative data. Continuing to move towards the integration of current efforts, leveraging of funds and increased capability. We are creating an information advantage.

How Can You Help? Ask hard questions Leverage your best and brightest Innovate Help us find lasting solutions that scale Be part of our success Partnership

Agile and secure information capabilities to enhance combat power and decision-making. Robert J. Carey DEPUTY ASSISTANT SECRETARY OF DEFENSE (Information Management, Integration, and Technology) & DOD DEPUTY CHIEF INFORMATION OFFICER (703) 614-7323 robert.carey@osd.mil 19

Back Up Slides Back Up 20

Defense Industrial Base Network (DIBNet) A classified and unclassified collaboration and information sharing capability for DoD and Defense Industrial Base (DIB) partner use. To protect sensitive DoD data residing in Defense contractor facilities. To develop and deploy a secure infrastructure for DoD to exchange threat products and to collaborate with DIB partners in a timely fashion in defense of their network assets. DIBNet DC3 Data Sources DIB CS/IA Data User Interface Other Data Sources DoD DIBNet-U is an unclassified web portal that includes a registration process, document libraries, collaboration tools, and a reporting feature. This is a PKI protected web portal that requires a user to have or obtain DoD-approved medium assurance certificates. DIBNet-S enables classified communications at the Secret level. DIBNet-S in current state is a hub and spoke architecture operated at/by the DoD Cyber Crime Center (DC3). As part of the DIBNet program, DIBNet-S will be hosted and sustained by DISA, and include improved functionality. Hosting on DISA infrastructure is critical to ensure scalability and continuity of operations. To the fullest extent possible, DIBNet-S should have the same look and feel as DIBNet-U.  DoD CIO runs the DIB Cyber Security/IA Program. Defense Cyber Crime Center (DC3) provides the threat products and incident analysis capability. 2650 Cleared Defense Contractor companies are the targeted users of DIBNet capabilities.

Continuous Monitoring (CM) Continuous monitoring is maintaining ongoing awareness to support organizational risk decisions. CM unifies existing disparate capabilities of operational management and control to build out a robust and integrated solution for decision processes. Continuous Monitoring (CM) - Unifies existing disparate capabilities of operational management and control to build out a robust, automated, and integrated solution for expedited decision processes of all aspects of future computer network operations.  

Host Based Security System (HBSS)

Secure Configuration Management (SCM) SCM is the integration and optimization of enterprise IA applications, Services, Policy, and standards in to a multi-tiered architecture Optimization SCM automates risk management processes that are manual today Automation SCM supports the delivery of Continuous Monitoring and Advanced Threat Analysis and Risk Scoring Innovation Secure Configuration Management (SCM) - The integration and optimization of enterprise IA applications, Services, Policy, and standards in to a multi-tiered architecture. - Supports the delivery of Continuous Monitoring and Advanced Threat Analysis and Risk Scoring. In order to get defenses in places before vulnerabilities can be exploited, network defenders at all tiers must be able to accurately and quickly assess the security state of their networks and act quickly to fix new vulnerabilities. SCM provides these basic functions, using existing tools, through use of standards and automation SCM is a multi-tiered architecture designed for managing and controlling the secure configuration of information systems on the GIG. The near-term SCM focus is on managing risk and improving timeliness, accuracy, and scope of enterprise situational awareness. Longer term, SCM will provide capabilities for automated C2 Overall, the objective of SCM is to provide integrated, timely and accurate configuration control of information systems on the GI Configuring assets securely in the first place Maintaining secure configuration Providing continuous situational awareness to the right people

Link all PKI authentication to the identities in the DMDC database Identity Management Goal: All applications and systems use a single trusted database of all DoD employees Approach: Utilize the DMDC and Database PKI authentication Develop policies and processes Cyber security credentialing Enterprise Email Identity Management - All applications and systems use a single trusted database of all DoD employees. Approach is to use: the DMDC and Database, PKI authentication, Enterprise Email, and credentialing, along with the development of policies and processes. The attacks on September 11, 2001 (9/11) demonstrated the impact of an enemy’s anonymity in conducting decisive, asymmetric operations against the United States. Furthermore, the resulting investigations highlighted the multiple missed opportunities to mitigate, even prevent, the attacks had information sharing across Federal and DoD organizations occurred. The inability to share information prior to 9/11 illustrates how the rapid maturation of information technology and DoD’s growing dependence on information systems capability requires focus and advancement in Identity and Privilege Management challenges. Identity and Privilege Management is the combination of technical systems, policies and processes that create, define, govern and synchronize the ownership, utilization and safeguarding of identity information in concert with the management of authorization to perform an action on a physical or logical resource. The DoD CIO Identity Assurance / Program Key Infrastructure Office leads the coordination, development and implementation of Identity and Privilege Management capabilities (IPvM) across the DoD as a co-chair of the IPvMWG. The Draft CONOPS and Implementation Guidance will be completed in FY11. The IPvMWG has over 200 registered members across the Department. Goal: All applications and systems use a single trusted database of all DoD employees Approach: Utilize the Defense Manpower Data Center and Database which contains all active DoD employees Link all PKI authentication to the identities in the DMDC database Develop policies and processes to require that all applications use the DMDC database for identity management Provides a platform to link all cyber security credentialing to be used for establishing and tracking information access DMDC database exists and is the authoritative source for personnel identity credentials. Utilized for Army Enterprise Email To be utilized for joint DoD/VA EHR system

DoD CIO Approach Customer Focus - “The warfighter expects access…” Centralized Guidance - Responsible for “standardization” Collaboration Emphasis - Partnerships and stakeholders Consolidated Effort - Enterprise solutions Capability Investment - The right talent and expertise As an arm of the Office of the Secretary of Defense: Responsible for setting policy and providing oversight of information processes, systems, and technologies. As the Principal Staff Assistant: Provides the expertise to advise the Secretary. As the DoD Chief Information Officer : Executive responsible for ensuring that capabilities are delivered. Major Areas of Activity: Policy Development – The establishment of the direction and expectations to ensure a Defense Information Enterprise capable of accessing information, sharing it, and collaborate to achieve mission success. Program Oversight – The leadership and expertise that provides the recommendations for effective IT investment, avoid duplicative efforts, prevent capability gaps, and ensure the tenets of net centricity are adhered to. Acquisition Support – The guidance and oversight needed to ensure IT programs adhere to acquisition directives, meet information sharing expectations, and quickly progress to fielded capabilities. DoD CIO Mission Specifics – IAW DoD D 5144.1, dtd 2May05 Principal staff assistant and advisor to the Secretary of Defense on networks and network-centric policies and concepts. Information architect for the DoD enterprise information environment, providing oversight and policy guidance to ensure compliance with standards for developing, maintaining, and implementing sound integrated and interoperable architectures across the Department, including intelligence systems and architectures. Leads the formulation and implementation of enterprise-level defense strategies from the information, IT, network-centric, and non-intelligence space perspective.

Purpose (TEMP Slide) While USCYBERCOM must be focused on the now/near-term and strategic , DoD CIO must work to ensure that optimal policies, guidance and oversight is in place to design, acquire and operate Networks that map themselves, continuously sense and report all normal and abnormal activity levels, and provide a global Common Operational Picture of key data sets that can truly provide current Situational Awareness and Indications and Warning of future threat vectors. Focus Questions: What enterprise wide initiatives are you working to provide real-time and near term insights into threats to the DOD Cyber Domain? In what key areas are you partnering with USCYBERCOM to ensure that unclassified Cyber Intelligence is collected, analyzed and appropriately disseminated across DOD and the DIB? How does DOD CIO define Cyber Intelligence?

OSD/CIO Mission Bring the power of information to the achievement of mission success in all operations of the Department; war fighting, business, and intelligence. Lead the Department in achieving a persistent and dominant information advantage for ourselves and our mission partners. Lead the Department in changing those policies, processes, and culture necessary to provide the speed, accuracy, and agility to ensure mission success in a rapidly changing and uncertain world. Ensure a robust and secure information environment. Provide modern command and control capabilities through persistent collaboration at all levels and among all mission partners. Acquire new information capabilities rapidly (9-12 months) and at low cost by delivering them as enterprise services.

CIO Major Areas of Activity Policy Development – The establishment of the direction and expectations to ensure a Defense Information Enterprise capable of accessing information, sharing it, and collaborate to achieve mission success. Program Oversight – The leadership and expertise that provides the recommendations for effective IT investment, avoid duplicative efforts, prevent capability gaps, and ensure the tenants of net centricity are adhered to. Acquisition Support – The guidance and oversight needed to ensure IT programs adhere to acquisition directives, meet information sharing expectations, and quickly progress to fielded capabilities.

Refashioned DoD CIO Customer Focus – “The warfighter expects access…” Centralized Guidance – CIO responsible for “standardization” (policy, architecture, standards, governance) Collaboration Emphasis – Renewed emphasis on partnerships and stakeholders (MILDEPS, DISA, USCC, AT&L, DCMO, USD(P), Industry, Academia) Enterprise Effort – Enterprise approaches; improved security Competence Priority – Get the right talent; leverage DISA technical expertise

Enterprise Wide Initiatives Enterprise Services – Secure access to the data Data Strategy – Tag and share the data Information Transport – Securely move the data Information Assurance – Keep it dependable Net Ops – See and manage the networks & data Initiated IT Acquisition reform efforts Initiated IT Consolidation efforts Implementing a broad set of initiatives for Computer Network Defense Insider Threat Vulnerabilities in the Defense Industrial Base (DIB) Network attacks & Host-Based Security System (HBSS) Federal-wide Supply Chain Risk Management (SCRM) strategy Partnering in key areas with Combatant Commands, Services, DoD Agencies and the commercial sector

Link to Mission Success is dependent upon our ability to connect people with information anytime, anywhere The DoD CIO is responsible for ensuring the delivery of critical enabling capabilities that: Allow information to be accessed and shared Ensure partners can collaborate Support decision makers at all levels to make better decisions faster and to take action sooner Information must be given the same priority and protection as any mission critical system or platform.