Top 10 Questions for Commanders to Ask About Cybersecurity
Patricia Frost and Matthew Hutchison
If the Army is to remain a dominant land power, the security and defense of Army and DoD networks must be viewed as a critical warfighting task. We have reached a point in time when the defense of our information networks is no longer the responsibility of a technical few, but rather the responsibility of every commander. Every soldier is a part of the network perimeter for their unit, the Army, the Department of Defense (DoD), and the Country. Our adversaries are maneuvering against us and attacking our networks and information in the cyber domain every day. Negligent user behavior and cybersecurity failures at the unit and tactical level now have a strategic impact. Furthermore, we rely upon our networks to mission command, conduct ISR, fires, and logistics to achieve overmatch against our adversaries. This increased dependence on our network and networked systems to fight and win increases our vulnerabilities. Because we can no longer place sole responsibility for our network protection on a small number of information technology professionals, we must educate ourselves as leaders on the risks to our networks and how we mitigate and reduce those risks. Echoing the Department of Defense Cybersecurity Culture and Compliance Initiative (DC3I) recently signed by the Secretary of Defense and Chairman of the Joint Chiefs, neither a lack of awareness nor unwitting negligence are excuses for poor network security; Commanders at all levels will be held accountable. From leaders, to providers, to cyber warriors, to users, each soldier provides a critical link in the cybersecurity of our networks and must understand their importance and value to the system.
In order to meet these challenges, commanders should consider the following 10 questions regarding his or her organization.
1) Who is responsible for my unit’s cybersecurity posture?
Commanders are responsible for their unit’s cybersecurity. Whether it’s protecting and appropriately handling a unit’s Personally Identifiable Information (PII) to ensuring subordinate unit cybersecurity training, network protection is no longer an S6 function that receives attention only in the event of communication disruption. Commanders are responsible and thereby must inculcate cybersecurity tasks through the S3 as critical considerations for how their units conduct operations and execute mission command.
2) Who owns “cyber” in our formation?
The use of our networks is no longer just a force enabler but rather should be treated as a weapons platform–without its functionality, a unit’s ability to operate and conduct mission command would be significantly degraded or disrupted. Therefore, the same level of analysis and risk mitigation dedicated to legacy combat operations should also be done for network operations to protect the network and maintain a unit’s ability to fight. Treating the network as combat power akin to tanks, trucks, and artillery places responsibility not only on the owners and operators of the system, but also on the unit’s operational staff. It is difficult to avoid S2/S6 overlap in most cases when answering this question, but the S3, Fires, Protection and Electronic Warfare (EW) should be intimately involved with cyber planning considerations.
3) How do we gain and maintain positive accountability of all our cyber assets (equipment and data) and do we employ risk controls appropriately to address the level of risk to each?
To properly monitor, manage, and defend their networks, commanders must be aware of their unit’s network readiness and posture. Tracking and monitoring all IT systems is paramount for continually assessing risk to the network and installed systems, while prioritizing security controls for those assets. Accountability of unit data can be assessed as well to determine areas of risk for data loss (out-of-band communications, spillage, loss of hard drive, etc.). Commanders should ask ‘what does my unit footprint look like and are we constantly managing risks to mission command?’
4) How is our data protected? PII? At rest? In transit?
The DoD Privacy Program outlines policies for the protection of Personally Identifiable Information (PII) and the requirements for protecting data at rest and data in transit when sharing information. Protecting data is the duty and responsibility of all DoD users, and should be specifically discussed with human resources personnel who often have the most access to large databases of PII. Commanders must maintain accountability of their unit’s data much like physical property to prevent its loss, protect it while not being used, and be aware of its use by other parties. Commanders must maintain data protection policies for their units that can be readily inspected.
5) What are our various response plans and policies for maintaining continuity of operations?
While managing, monitoring, and defending the network will decrease the likelihood of incidents, the ability to respond to disruptive events is the mark of a competent, trained and tested command team. Commanders and their staffs should develop, implement, and practice various response scenarios to train incident response plans as unit battle drills. Responses may involve reporting the incident to higher echelons, exercising data replication, requesting external support, and conducting mission command during a disruption to network capability. In the event the response requires special support from a cyber incident response team, it is helpful to have tested the reporting mechanism and have built a relationship with a supporting element. Can your unit operate with a disrupted or non-existent network while conducting remedial action?
6) How are anomalies in the network detected, and what are my Commander’s Critical Information Requirements (CCIR)?
Units are given a baseline set of tools and team members to help monitor for network intrusion and disruption and units must continue to develop tactics, techniques, and procedures (TTPs) for network monitoring and anomaly detection. An important part of anomaly detection involves determining a unit’s network baseline, setting accurate thresholds that mark events which require further investigation, and isolating and possibly disconnecting critical mission command systems. Future advancements in this area will further increase the tools and data available at brigade level and below in order to allow unit-level network monitoring from a higher point of view (wide area network) and provide faster incident response to ensure continuity of mission command. Commanders then must understand what network activity constitutes CCIR and require leaders to make decisions.
7) How is software and hardware lifecycle managed, to include patches and Security Technical Implementation Guide (STIG) updates?
Managing product lifecycle, from acquisition to implementation to disposal, is critical to maintaining availability of important data systems. Effective software and hardware lifecycle management considers user behavior, compliance requirements, and organization processes. We must continue to use the tools of our service providers and cyber warriors to maintain the timely remediation of critical security vulnerabilities in an effort to make each connected device a hard target. Units whose IT professionals are empowered to quickly remediate deficiencies with the full support of the chain of command, regardless of inconvenience or operational tempo, will foster a culture that emphasizes cybersecurity as a unit priority. Do we treat IT deficiencies with the same attention we treat deadlined or deficient pacing items?
8) What is the unit’s contingency communications plan with lower and higher echelons and have we tested it in training?
Redundancy, or the duplication of critical communications links, is an integral part of successful network employment. Despite the increases in performance of our modern networks, hardware failure and software bugs will remain a risk, not to mention enemy activity that may cause disruption. Developing, publishing, and training alternate means of communicating must be a priority. Though it may vary depending on the mission, this communication plan includes the Primary, Alternate, Contingency, and Emergency (PACE) means of communication that must be understood by the entire organization. Using non-primary communications links often requires time and money in order to train operators on using equipment often left out of day-to-day training (high frequency radios, SATCOM radios, high capacity line-of-sight (HCLOS) equipment in Signal Company, etc.). Is our PACE plan valid and tested?
9) How do we identify the insider threat on the network within our organization?
Several recent events highlight the possibility for negligent users and malicious insiders as an increasing threat to our sensitive communications networks. Organizations can often detect and control access to data from outsiders by physical or electronic means, while implementing policies and procedures to mitigate the damage caused by outside spillage. Insider threats, however, presents a particularly difficult challenge to administrators and security staff because their access may appear legitimate. Organizations that do not properly take steps to protect sensitive data, maintain access permissions, and enforce policy compliance increase their vulnerability of adversaries gaining access to sensitive information via an intended or negligent discharge of sensitive information. How do we assess, identify, and report possible negligent or malicious users, and how can we mitigate the risk and the effect of incidents?
10) How do I assess the unit cybersecurity posture?
Units have many ways to improve the security of their organization once a robust network plan is put into place. One particularly effective method is the employment of outside organizations or higher echelons to test the resiliency of the system. These “red teams” may assess many aspects of the network from the technical settings to organizational policies. With appropriate prior planning, these teams often assess network readiness without formally notifying network administrators or users in order to more accurately simulate the behavior of adversaries. The Army has also begun to implement the DoD’s Cybersecurity Scorecard measures which includes requirements every Commander must be familiar with. What assessments have been done on our network, and how can we add a cyber component to training events?
Today, the compromise of a network at any echelon has the potential to disrupt operations anywhere around the globe. Communications and network security were once the primary domains of our unit’s communication experts. Our force is highly dependent on technology and networks to conduct combat operations. However, network vulnerabilities continue to increase the risk of potential disruption of our combat power. Therefore, to succeed in future operations and maintain operational flexibility, these considerations, now more than ever, are essential for effective mission command. As one Brigade Combat Team Commander recently noted, “The greatest threat that I face as a brigade commander on the battlefield is not tanks, Bradleys, snipers or IEDs, it’s the threat to computer network operations.”
The views expressed in this article are those of the author and do not reflect the official policy or position of the United States Military Academy, Army Cyber Command, the Department of the Army, US Cyber Command, the Department of Defense, or the US Government.