Who Is Responsible for a Secure, Mission-Oriented Network?

In this day and age of each day cyber-assaults from country-states and other hacker groups towards the U.S. Section of Defense, it begs the problem, “Who is responsible for developing and sustaining a safe, mission-oriented community that lets our Airmen to do their jobs?”

The ambiguity of cyber responsibilities amongst DoD and/or Company acquisition authorities, network architects and structure engineers, testers, trainers, maintainers and operators has dire implications for the potential to safeguard the cyber area and other domains relying on it.

‘Who is responsible’ issues to reply:

  • For defining specifications?
  • For the racking and stacking and correct funding of specifications?
  • For building and assuring adherence to system and standards?
  • For funding original program designs, their integration into the DoD’s and/or Service’s networks, and the system’s servicing/sustainment?
  • For procedure architectures or process infrastructures, these kinds of as full-spectrum, prolonged haul, wired and fiber strains?
  • For ensuring personnel sustainment and workforce expectations/experiments to operate the sustainment and servicing necessary at all stages of that infrastructure?
  • For maintaining functionals in test with their enterprise functions?
  • For the integration of new apps and equipment and primary the troubleshooting attempts when they crack (and they all do)?
  • For security considerations, and are they inherent in the system needs?

I’ve dedicated 25 many years to the arranging, shipping and delivery, and security of DoD and Air Force networks. From my practical experience, these concerns generally end result in the exact solutions: “Who is aware of who is accountable?”

The Cybersecurity & Information and facts Programs Data Evaluation Heart (CSIAC) is a ingredient of the DoD’s Facts Analysis Heart. Their DoD cyber policy chart lists more than 230 unique paperwork that go over how to create and work a reliable DoD Info Community (DoDIN). Individuals 230 files are even more issue to needs of the individual Expert services and other competing entities. All these demands exponentially improve the DoD’s problem to reach situational consciousness of the community across life cycle levels (strategy, style, make, educate, maintain, retain, and function).

Developing DoD networks without having this accountability and enforcement has resulted in shortfalls in shipping, stability, and sustainment of infrastructure and techniques. For instance, from the commencing of the necessities process, there are several ways to receive a capability the practical local community desires. The purposeful could go by way of the specifications process, which could be sluggish and cumbersome. If the purposeful experienced funding, they could also go straight to the acquisition group or the seller to straight deal for abilities. These a la carte options are threat variables. Shortcuts to integrated protection controls place the capability and the mission relying on them at hazard.

Funding can typically be blamed for the deficiency of robustness and standardization amongst and within techniques, but I’d argue that centralized funding would only be a partial option to this multi-faceted problem. There also demands to be architectural technique that the functionals can adhere to and stick to, with clearly delineated roles and tasks levied on the functionals, with acquisition communities bringing applications and purposeful systems to the community. The system requirements to further outline who is dependable for testing and securing these devices, and who will grant the authority to work and link? Setting up the community architecture right before methods are extra to the network is essential.

Many moments throughout my 25 many years with the Air Drive, I noticed devices extra and brought onto the community that ended up not securely validated. Too numerous entities own components of the network and absence sturdy coordination to deconflict variations amongst directors. These predicaments have resulted in alarming community degradations that prompted forensic investigations concluding that the wounds had been self-inflicted. This does not even include things like integration concerns for the community. Units are bought with no figuring out the accurate impacts on the network, to include operational uses, mainly because there are conflicts on the network. Integration is not even included in securing new software program and hardware, complicating the troubles even far more.

Maintainers and operators are not exempt from wreaking havoc on the community both. They are notorious for acquiring software program, including it to the community, employing only a few of its lots of capabilities, and then relocating on to the following piece of software package or technique. The successors to several programs or program purposes often do all or the vast majority of the former system’s capabilities, but the preceding process was hardly ever taken off from the network.

Right up until the cyber or cyber security approach aligns to aid mission functions as its top rated priority and segments the network’s roles and responsibilities across the Air Force enterprise, we’ll go on to fight these battles in a degraded state.

No a single cyber entity inside the DoD, Air Drive, or other Expert services at present has the duty and authority to make, manage, and run a secure community. At greatest, all the communities get the job done together to try out and present an efficient, safe mission-oriented community. To date, this has been really ineffective and inefficient. As a end result, the basic query of who is liable for building and sustaining a safe, mission-oriented community that permits Airmen to do their work opportunities is seemingly unachievable to respond to.