Defense Science Board Recommendations for Defense Cyber Investment

Published: January 18, 2017

Big DataCybersecurityDEFENSEInformation TechnologyInformation TechnologyPolicy and Legislation

Automation, big data, modeling and simulation are all on deck.

Back in September 2016, the Defense Science Board released a report on Cyber Defense Management at the Department of Defense that seems to have flown under the radar of most people, including yours truly. For those unfamiliar with the DSB, it provides analysis and recommendations to the Under Secretary of Defense for Acquisition, Technology, and Logistics (USD AT&L). The USD AT&L, for as long as it continues to exist under the coming reorganization ordered by the 2017 National Defense Authorization Act, provides direction to the acquisition organizations across the DoD, including the Program Executive Offices. For this reason alone, it is worth digging into the recommendations provided in the DSB’s report. These recommendations focus on how the DoD can ensure it is investing properly to enhance the cyber resilience of its systems. Here are some of the DSB’s recommendations that may prove important to industry.

  1. The DoD CIO, in conjunction with the Service and Agency CIOs, should investigate how to best use the attack data they experience on their various networks to evaluate the performance of their defenses.

    This recommendation basically has to do with Defense organizations developing and collecting metrics “that characterize the state of cyber security for their entire software and hardware system, and then use those metrics to track the state of their cyber hygiene. These metrics should be scrupulously collected and reported. In order for these metrics to be timely, data collection will, for the most part, need to be automated.” Implication – The DSB recommends the DoD use automated solutions that provide situational awareness, including system baseline status and efforts by adversaries to penetrate those systems.
     

  2. The DoD CIO, in conjunction with the Service and Agency CIOs, should expand their monthly cyber security status report.

    Although largely a DoD-internal recommendation, the DSB advises the DoD CIO and other organizations to collect and leverage data provided by industry partners, including “threat information beyond DoD as compiled by security research firms.” Implication – DoD will come to industry partners more often for the data it needs. Offering an automated method of providing those metrics on demand could enhance win potential on bids.
     

  3. The DoD CIO and CISO should architect and plan for increasingly automated cyber management operations in order to reduce the time networks are vulnerable to known attack vectors, and to increase visibility.

    File this under the automated solution recommendation discussed above with the caveat that the automation cyber status and visibility function should be “baked into” systems as they are developed. Implication – Look for requirements along these lines to increasingly show up in system development RFPs. Cloud providers should also anticipate that Defense customers will request these kinds of capabilities for cloud-based solutions.
     

  4. Lastly, DoD should expand the resources available to the Office of the Deputy Assistant Secretary of Defense for Command, Control, and Communication, Cyber, and Business Systems, in conjunction with the Modeling and Simulation Coordination Office … to continue and expand cyber investment modeling work. The ODASD(C3CB) and M&SCO should [then coordinate] a multi-phased approach to develop a single model to inform DoD cyber investments, with a particular focus on warfighting systems.

    Fundamentally a big data challenge, this recommendation seeks to build on modeling and simulation efforts for cyber that are already underway at the DoD. Implication - Big data vendors and those with advanced R&D capabilities may want to keep tabs on the ODASD(C3CB) and M&SCO to determine if there may be a requirement in development along the lines recommended by the DSB.