In this age of daily cyberattacks by nation states and other hacker groups against the US Department of Defense, the question arises: “Who is responsible for building and maintaining a secure and focused network? about the mission that allows our Airmen to do their job?
Ambiguity of cyber responsibilities between DoD and/or service acquisition authorities, network architects and design engineers, testers, trainers, maintainers and operators has dire consequences for the ability to protect the cyber domain and the other domains that depend on it.
“Who is responsible” questions to answer:
- To define the needs?
- For storage, stacking and adequate financing needs?
- To generate and ensure compliance with strategy and standards?
- To fund initial system designs, integration into DoD and/or Service networks, and system maintenance/support?
- For system architectures or system infrastructures, such as full-spectrum, long-haul, cable and fiber lines?
- To ensure personnel sustainment and manpower standards/studies to provide the necessary upkeep and upkeep at all levels of this infrastructure?
- To keep functionals in check with their business activities?
- For integrating new apps and tools and directing troubleshooting efforts when they break down (and they all do)?
- For security considerations, and are they inherent in system requirements?
I have dedicated 25 years to the planning, delivery and security of DoD and Air Force networks. In my experience, these questions usually lead to the same answers: “Who knows who is responsible?”
The Cybersecurity and Information Systems Information Analysis Center (CSIAC) is a component of the DoD Information Analysis Center. Their DoD Cybersecurity Policy Chart lists over 230 different documents that explain how to create and operate a trusted DoD Information Network (DoDIN). These 230 documents are further subject to the requirements of individual departments and other competing entities. All of these requirements exponentially increase the challenge for the DoD to achieve network situational awareness through the lifecycle stages (Strategy, Design, Build, Train, Sustain, Maintain, and Operate).
Developing DoD networks without this accountability and enforcement has resulted in gaps in the delivery, security, and maintenance of infrastructure and systems. For example, early in the requirements process, there are several ways to acquire a capability desired by the functional community. The functional could go through the requirements process, which could be slow and tedious. If the functional had funding, it could also go directly to the acquisition community or the supplier to directly contract capacities. These à la carte options are risk variables. Shortcuts to built-in security checks endanger the capability and mission that depend on it.
Funding can often be blamed for the lack of robustness and standardization between and within systems, but I would argue that centralized funding would only be a partial solution to this multi-faceted problem. There must also be an architectural strategy that functionals can buy into and follow, with clearly defined roles and responsibilities imposed on functionals, with acquisition communities bringing functional applications and systems to the network. The strategy should further define who is responsible for testing and securing these systems, and who will grant operating and logging authority? Establishing the network architecture before adding systems to the network is essential.
Many times in my 25 years with the Air Force, I have seen systems added and put on the network that were not securely validated. Too many entities own parts of the network and lack strong coordination to resolve conflicts between administrators. Such situations have led to alarming network degradations that have resulted in forensic investigations concluding that the injuries were self-inflicted. That doesn’t even include integration issues for the network. Systems are purchased without knowing the true impacts on the network, including operational uses, because there are conflicts on the network. Integration is not even included in securing new software and hardware, further complicating issues.
Maintainers and operators are also not exempt from wreaking havoc on the network. They have been known to buy software, add it to the network, use only a few of its many features, and then move on to the next software or system. Successors of many systems or software applications often perform all or most of the functions of the previous system, but the previous system was never removed from the network.
Until the cybersecurity or cyber security strategy aligns to support mission operations as a top priority and segments network roles and responsibilities across the Air Force enterprise, we We will continue to fight these battles in a degraded state.
No cyber entity within the DoD, Air Force, or other services currently has the responsibility and authority to build, maintain, and operate a secure network. At best, all communities work together to try to provide an efficient and secure mission-oriented network. To date, this has been extremely inefficient and ineffective. Therefore, it seems impossible to answer the simple question of who is responsible for building and maintaining a secure, mission-driven network that enables Airmen to do their jobs.