In this day and age of daily cyber-attacks from nation-states and other hacker groups against the U.S. Department of Defense, it begs the question, “Who is responsible for building and maintaining a secure, mission-oriented network that allows our Airmen to do their jobs?”
The ambiguity of cyber responsibilities among DoD and/or Service acquisition authorities, network architects and design engineers, testers, trainers, maintainers and operators has dire consequences for the ability to protect the cyber domain and other domains relying on it.
'Who is responsible' questions to answer:
- For defining requirements?
- For the racking and stacking and proper funding of requirements?
- For generating and assuring adherence to strategy and standards?
- For funding initial system designs, their integration into the DoD’s and/or Service’s networks, and the system’s maintenance/sustainment?
- For system architectures or system infrastructures, such as full-spectrum, long haul, wired and fiber lines?
- For ensuring personnel sustainment and workforce standards/studies to operate the sustainment and maintenance needed at all levels of that infrastructure?
- For keeping functionals in check with their enterprise activities?
- For the integration of new applications and tools and leading the troubleshooting efforts when they break (and they all do)?
- For security considerations, and are they inherent in the system requirements?
I’ve dedicated 25 years to the planning, delivery, and security of DoD and Air Force networks. From my experience, these questions typically result in the same answers: “Who knows who is responsible?”
The Cybersecurity & Information Systems Information Analysis Center (CSIAC) is a component of the DoD's Information Analysis Center. Their DoD cyber policy chart lists over 230 different documents that discuss how to build and operate a trusted DoD Information Network (DoDIN). Those 230 documents are further subject to requirements of the individual Services and other competing entities. All these requirements exponentially increase the DoD's challenge to achieve situational awareness of the network across life cycle stages (strategy, design, build, train, sustain, maintain, and operate).
Developing DoD networks without this accountability and enforcement has resulted in shortfalls in delivery, security, and sustainment of infrastructure and systems. For instance, from the beginning of the requirements process, there are multiple ways to acquire a capability the functional community wants. The functional could go through the requirements process, which could be slow and cumbersome. If the functional had funding, they could also go straight to the acquisition community or the vendor to directly contract for capabilities. These a la carte options are risk variables. Shortcuts to integrated security controls place the capability and the mission relying on them at risk.
Funding can often be blamed for the lack of robustness and standardization among and within systems, but I’d argue that centralized funding would only be a partial solution to this multi-faceted issue. There also needs to be architectural strategy that the functionals can adhere to and follow, with clearly delineated roles and responsibilities levied on the functionals, with acquisition communities bringing applications and functional systems to the network. The strategy needs to further define who is responsible for testing and securing these systems, and who will grant the authority to operate and connect? Establishing the network architecture before systems are added to the network is key.
Many times during my 25 years with the Air Force, I saw systems added and brought onto the network that were not securely validated. Too many entities own parts of the network and lack robust coordination to deconflict changes between administrators. Such situations have resulted in alarming network degradations that prompted forensic investigations concluding that the wounds were self-inflicted. This does not even include integration issues for the network. Systems are bought without knowing the true impacts on the network, to include operational uses, because there are conflicts on the network. Integration is not even included in securing new software and hardware, complicating the issues even more.
Maintainers and operators are not exempt from wreaking havoc on the network either. They are notorious for purchasing software, adding it to the network, utilizing only a few of its many capabilities, and then moving on to the next piece of software or system. The successors to many systems or software applications often do all or the majority of the previous system's functions, but the previous system was never removed from the network.
Until the cyber or cyber security strategy aligns to support mission operations as its top priority and segments the network’s roles and responsibilities across the Air Force enterprise, we’ll continue to fight these battles in a degraded state.
No one cyber entity within the DoD, Air Force, or other Services currently has the responsibility and authority to build, maintain, and operate a secure network. At best, all the communities work together to try and provide an effective, secure mission-oriented network. To date, this has been extremely ineffective and inefficient. As a result, the simple question of who is responsible for building and maintaining a secure, mission-oriented network that allows Airmen to do their jobs is seemingly impossible to answer.