SIGNAL’S QUARTERLY SPECIAL SECTION · space proves worrisome, warned Adm. Michael Rogers, USN, director of the National Security Agency and com-mander of U.S. Cyber Command, at

XXXXXXXXXXXXX

SIGNAL’S QUARTERLY SPECIAL SECTION

SPONSORED BY

A burgeoning breed of combat-ants fights in a convoluted new domain where no one has blazed a trail, where no history books offer lessons or guid-

ance. These warriors sometimes use untested offensive and defensive network maneuvers to secure cyberspace, the increasingly important and congested battleground rapidly becoming the attack venue of choice.

The technology to succeed in this ongoing fight actually already exists, as does the well-trained work force, experts say. The question now hovers over what ethical guidelines the United States will employ to carry out cyber warfare—where dynamic real-world events shape the malleable rules of engagement.

“We are responsible for training tech-nically and tactically competent leaders who are about to enter a world where they have to make decisions that have never been made before—in a very sort of cloudy and complex environment,” says Maj. Charlie Lewis, USA, chief of the Cyber Leader College at the Army Cyber Center of Excellence, Fort Gor-don, Georgia. “We’re expecting a lot [from] these 23-, 24-year-olds.”

Military leaders must consider the ethics of warfare as they draft policies that will govern cyber operators’ mis-sions in this disruptive experience of war, says Gen. Larry D. Welch, USAF (Ret.), the 12th chief of staff of the U.S. Air Force. “The cyberwarrior encoun-ters a moral issue ... only if the legal order is seen as morally unacceptable. While that has been an issue in other

Cyber Ethics Vex Online Warfighters

The United States wrestles with daunting guidelines to carry out warfare in the fifth domain.

BY SANDRA JONTZ

Gathering around a single laptop, soldiers from Team National Guard map out a strategy to win the U.S. Army’s Cyber Center of Excellence’s multiservice NetWar competition in 2014. The exercise was created to build the cyber operators’ capabilities in the new warfighting domain.

The Cyber Edge | A SIGNAL Media publication | Sponsored by Fortinet, Inc. 2

domains in the past, it is, in fact, less likely in the cyber domain. Cyberwar-riors simply do not face the kind of conditions that produced the My Lai massacre, for example,” Gen. Welch says of one of the most horrific inci-dents of U.S. violence against civilians during the Vietnam War. “They don’t operate out in an environment where [they are] responsible for the life or death of some set of warriors who operate alongside of them.”

The last time the United States faced such a massive paradigm shift that pro-duced new warfighting doctrine was 70 years ago, following the deployment of the atomic bomb. “We’re in an analo-gous experience now with the advent of cyberspace,” says Col. Timothy S. Mal-lard, USA, the command chaplain at the Cyber Center of Excellence, who led a panel discussion on cyber ethics in August during AFCEA International’s TechNet Augusta conference. “What you have is the fifth domain of war. I want to start with the premise that the most dangerous thing we can do as a military … is to have an unconscious,

unreflective practice of cyber war.” Fundamentally, the Army’s ethical

approach to cyber warfare varies little from the overall approach to all opera-tions, offers Col. Jennifer Buckner, USA, Army Cyber School commandant. Cyberwarriors learn foundational cyber ethics, laws, policies and regulations; at least three cyber schools guide both the intelligence and cyber communities. “There are probably far more of the rules and ethics that we currently abide by … even in cyber, than some people would perhaps appreciate,” Col. Buckner says.

Still, several unanswered questions remain. What constitutes an attack? What are the rules? Would the cyber theft of a private company’s proprietary information by a nation-state be tanta-mount to an act of war?

“We see some very loose use of ter-minology that we apply to cyber that we don’t apply to other domains,” says Gen. Welch, the former president of the nonprofit Institute for Defense Analy-ses who now serves as a senior fellow there. “For example, what we would call espionage in other domains we call an

‘attack’ in the cyber world. What we call intelligence collection in other domains we tend to call an ‘attack’ in the cyber domain.”

An executive order issued in April, however, gave policy makers a little help with defining cyberspace missions by providing the clearest policy direction thus far for a national cyber response. The order calls for, in part, sanctions against foreigners who engage in sig-nificant malicious cyber-enabled activi-ties. Titled “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” it details retaliatory steps and does not discriminate between private or nation-state actors.

Cyber assaults do not always merit a cyber-based response, Col. Buckner points out. “Much like any other incur-sion, it could merit a number of dif-ferent responses depending upon the government interest,” she says. “Our job in the military is not to dictate or mandate a response, but rather to pro-vide options for government leaders so if and when they decide to respond, we

A soldier monitors computer screens during a Joint Users Interoperability Communications Exercise, or JUICE, annual event. JUICE includes network planning, systems integration, network operations and computer network defense to identify ways to improve operational capabilities.


have the capability to do so. We offer a range of options that spans from very precise to a more overt action that gets everyone’s attention.

“We are the capacity that provides the ability to respond,” Col. Buckner states.

Many ethics discussions incorporate teachings from the just war theory, a doctrine that helps elucidate justifica-tions of how and why wars are fought, Maj. Lewis says. “We discuss collateral damage—we discuss avoiding nega-tive impact to the civilian population where feasible,” he shares. “It’s a com-plex environment. It is a much differ-ent environment than most people are typically used to, but we can still apply the exact same discussion points … in terms of difficult decisions that a cyber leader may have to make.”

Assessing collateral damage presents one of the greater difficulties. “With kinetic operations, we have a lot of practice in estimating collateral dam-age,” Col. Buckner says. “Sometimes, the second-, third- and fourth-order effects of actions in cyberspace we can’t predict with great certainty.”

Leaders concocting the moral stan-dard for cyber warfare borrow too from religious doctrine, Gen. Welch offers. “There is a catechism of the Catholic Church, for example, that declares that the use of arms must not produce disorders greater than the evil to be eliminated,” he says. “The level of evil and disorder created is fairly straightforward when applied to [adversaries] dropping bombs or shooting or torturing human beings.”

It is less straightforward with cyber, where a strike could be nothing more than criminal behavior rather than a declaration of war, and boundaries are undefined. While international agree-ments for the so-called “traditional” combat domains of air, land and sea contain definitions of national sover-eignty, in the cyber world this does not exist, Gen. Welch says. “If you enter the United States without some kind of

official authorization, it’s a crime, and there’s no confusion about that. But in cyberspace, there’s mass confusion. I can wander around all over the Internet in China or Russia or any other coun-try, and there is no concept that I have illegally entered that nation until I pass some kind of physical or conceptual boundary that is, in fact, not defined.”

Ethics discussions extend beyond

the Defense Department’s perimeter to include what role, if any, the private sector should play in cyberspace oper-ations. Although the military histori-cally has relied on industry for help in defending the nation, such involve-ment in the already convoluted cyber-space proves worrisome, warned Adm. Michael Rogers, USN, director of the National Security Agency and com-mander of U.S. Cyber Command, at a recent industry event.

The country does not need cyber privateers, he says.

“I still believe that, in broad terms, the application of force … should be a [mili-tary response],” Adm. Rogers said dur-ing an SAP NS2 Solutions Summit in October. “I still believe that the nation-state is best posed to apply force. And I worry about what the implications are if we’re going to turn that over to the private sector.”

And vice versa. The Novem-ber 2014 Sony Pictures Entertain-ment hack perpetrated by North Korea forced an out-of-the-ordinary

military response to an otherwise criminal act. But failure to publicly acknowledge the hack and identify the aggressors risked sending mixed messages, Adm. Rogers said. He fears that nation-states or groups might “conclude this behavior must be seemingly acceptable or permissible,” or that businesses might conclude the government did not have their backs. “My concern was the private sector will say, ‘OK, if I can’t count on the government to do something, that means you’re turning this problem over to me,’” he shared.

“It’s the Wild West in some places already,” Adm. Rogers said. “You don’t need more gunslingers out on the street.”

The Sony hack and other high-pro-file breaches provide fodder for cyber operators in training, Col. Bucker says. “Every case, and certainly those that have been made public, allows us to further the discussion and advance the policy and terminology,” she says. “What is the correct response for a pri-vate company that normally wouldn’t merit a response by the government, yet [the breach] was publicly attributed to a nation-state? What is the appro-priate response, and who carries that out?

“Every case, every example furthers the discussions on whether laws, poli-cies and authorities are correct and how we might apply them,” Col. Buck-ner concludes.

The pervasiveness of cyber attacks is both a strength and a weakness of the domain, Gen. Welch offers. “Perhaps the vulnerability in the cyber domain is more worrisome because it has such a strong impact on our effectiveness in other domains.

“Is it a vulnerability that we just need to ring our hands about? No,” he adds. “We know how to protect; we know how to manage the vulner-abilities. We know how to deal with the risks. We just need to do it.”

“It’s the Wild West in some places already.

You don’t need more gunslingers out on the street.”

—Adm. Michael Rogers, USN, director of the National Security Agency and commander of U.S. Cyber Command


n 5-10X faster than the competition

n Application-aware for precise control

n Deep packet inspection (DPI) streamlines traffi c fl ow

n Security Zone level grouping

Today’s Warfi ghter requires the best tools to conduct combat in Cyberspace. Our fi eld-proven and award-winning network security products ensure your critical data is safe from the inside out.

With solutions confi gured to Military-grade specs, you can deploy the fastest and most advanced network security platform on the market.

FortiDDoSDenial of Service Protection

FortiGateHigh Performance Firewalls,

UTM and NGFW

FortiGate RuggedIndustrial Network Security

Call to Schedule Your Free Application and Risk Analysis of Your Network (571) 449-8375fortinet.com/solutions/federal.html

SECURINGYour World

www.fortinet.com

FortiGateFortiDDoS FortiGate Rugged

Army Braces for A Culture Clash

The service must work to entice and keep the type of people who excel at cyber operations.

T he U.S. Army and its Cyber Command are building momentum to create the institutional and operational structure required to conduct and support mis-sions in the cyber domain. Now is the time to seriously

address the challenges of attracting and retaining soldiers with the talent needed to take on the enemy. As Lt. Gen. Edward C. Cardon, USA, commanding general of Army

Cyber Command, often states: Technology, as significant as it is in the rapidly changing face of warfare, will not be the deciding factor in who will dominate in this domain. It’s the people.

And today’s Army faces tremendous challenges in organiz-ing, training and equipping them to operate in this dynamic new warfighting domain. The Army must re-evaluate how it recruits and keeps its cyber talent if it is to become the service

BY COMMAND SGT. MAJ. RODNEY D. HARRIS, USA

Soldiers with the U.S. Army Cyber Command take part in network defense training. The Army has reclassified its military occupational specialty as 17C for cyber operations specialists, but more remains to be done to build an effective cyber corps for the service.


of choice in the highly competitive cybersecurity community. How it employs its gifted cyberspace operators is critical, and equally important is how the Army helps future cyber leaders develop the required credibility.

Addressing these issues is difficult because the nascent domain has changed the traditional understanding of war and the way it is carried out. War no longer is adequately defined as forceful battles pursued by armed combatants at the behest of governments to gain and hold critical geographic terrain. Instead, war is a battle between many actors, waged to a sig-nificant degree in the cyber domain. A consensus exists that the global efforts of diverse actors, including nation-states and cyber terrorists, now have operationalized cyber warfare.

These efforts are becoming increasingly sophisticated. Gen. Mark A. Milley, USA, the 39th chief of staff of the Army, notes in a recent Association of the U.S. Army Green Book article: “The technologies that have historically enabled our over-match are becoming increasingly available to our adversaries.”

Such significant warfare changes require new attitudes, strategies and doctrine development to let the Army suc-cessfully operate both on land and in cyberspace. In particu-lar, the service must address four immediate personnel chal-lenges to ensure the success of its cyber work force. It needs to understand the typical characteristics of its cyber talent; organize its operational structures to effectively employ this talent; create an environment that fosters innovation; and learn to lead these forces.

As the Army continues to generate its component of the Defense Department’s Cyber Mission Force—the effort to establish 133 cyber defense teams by 2018—it struggles to recruit and retain the skilled professionals necessary to build its teams. One frequently discussed issue is whether the Army must establish new standards or lower the current standards that are limiting the service’s ability to grow its population of cyber operators.

The Army should not lower its standards for such an impor-tant component of the force. Instead, the service should better define the most critical skills needed and spell out its specific plans to keep qualified soldiers, especially advanced tool devel-opers and on-net operators. While other cyber team mem-bers are important, training soldiers for these two work roles requires added focus.

Harvard University’s chief technology officer, Jim Waldo, describes individuals with these skills as the top 2 percent of software and security specialists. He believes they are 10 to 100 times more effective in understanding and operating in cyberspace than average technologists. If the Army is going to be successful in the cyber domain, then these individuals rep-resent the talent the service must recruit and train. And it must learn to lead these warriors if it expects to retain them.

One obstacle to retaining soldiers with these skill sets is that their personalities tend to defy conventional military cultural norms. They are seen as rule breakers driven by curiosity and seek to penetrate barriers rather than conform to any standard. They often despise meetings and argue against any concept that opposes their original ideas. Traditional Army leaders often fail to understand these nonconformists.

The Army also has failed to create an organizational culture that will retain its cyber talent. Parochial argu-ments and institutional policies can be a turnoff to these individuals. For example, the Army actually held up cyber operators’ selective re-enlistment bonuses for almost four months to debate who could be labeled a cyber operator. The service lost at least seven of its trained on-net operators during that delay.

Career stagnation can be a problem as well. The Army’s Qualitative Service Program (QSP) consists of a series of centralized board processes designed to select and retain the highest quality noncommissioned officers (NCOs) who display the greatest potential for continued service. Yet the Army lost one of its most highly qualified cyber analysts to this program because she had not been promoted or moved from her position in four years. Understanding her work role easily explains the requirement for extended stationing policy, and the limited number of senior positions in this career field accounts for a latent advancement cycle. Still, the service needs to find a way to satisfy anyone’s desire for professional growth.

Comprehending cyber’s work roles is not just an Army issue, but a shared challenge across the services as the Defense Department struggles to learn this new domain. The Army chose to create the 17-series branch and career field to address such institutional challenges, which also include how to organize the service’s cyberspace operators. Organi-zational structure and design in cyberspace operations, to a large degree, have been prescribed at the strategic level by U.S. Cyber Command and are similar across all the services. Because the preponderance of effort to establish the force is derived from the intelligence community, the employment of the force primarily is at the strategic level and therefore almost nonexistent as a deterrent to adversaries. Additionally, the design of teams, infrastructure, tools and command and control has been created and developed in a way that, by its nature, stifles innovation and allows little room for initiative. In short, the government has tried to structure an inherently unstructured and free-flowing domain.

Rigid organizational structures do not restrict potential adversaries. A quick study of the operations Russia con-ducted in Ukraine highlights some of the most visible flaws in U.S. cyber operating concepts. Russia artfully converged information operations, electronic warfare and network warfare in both digital and physical operations to win in Ukraine—with almost no visible presence. Conversely, the United States debates which actions are Title 50 of the U.S. Code versus Title 10 versus Title 40 and struggles to build a force around the traditional concepts of offense, defense and exploitation.

Additionally, how the Army defines defensive and offensive operations impacts the service’s employment of its cyber-space operational forces. Delineating between defensive and offensive operations has been described by Tim Willis, a security manager on the Google Chrome Security Team, as a fundamental flaw in the digital environment’s philosophy of operations. In a recent lecture, Willis presented an analogy


describing what happened when an international agreement failed to take this flaw into account.

He cites as an example the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, established in 1996. The arrangement pro-moted transparency among the 41 participating states, includ-ing many former Warsaw Pact countries and the United States, in the transfers of conventional arms and dual-use goods and technologies. Problems arose in 2013 when the group added intrusive software to the list without considering the second- and third-order effects the addition would have on the Internet security community. The community argued that restrictions cannot be placed on offense without affecting defense because the tools and software, in terms of tactics, techniques and pro-cedures, are basically the same.

The inextricable links between cyber offense and cyber defense create confusion, leading to upheavals for cyber orga-nizations as they restructure. Today, they are designed to employ certain teams for offense, different teams for defense and still other teams for analysis and exploitation. The arrange-ment makes perfect sense if their only task was to expand on the mission of the National Security Agency and the intelli-gence community. It’s not, and the Army’s cyber organizational structure creates a culture of haves versus have-nots, with leaders giving little thought to the intelligence, equipment and tools needed to conduct deliberate defense in the pursuit, con-tainment and defeat of advanced persistent threats.

To facilitate information sharing and synchronize cyber-space operations, the Army cyber force should mirror the structure of maneuver forces to conduct a full spectrum of combat actions. Commanders can then task-organize within their formations.

The Army also must re-emphasize innovation. Today’s cyber operator employment model not only limits the innova-tion and capabilities cyber operators can bring to the fight, but it also prevents any deterrence that could be gained by

more aggressive responses to attacks and the show of force the United States could bring to this domain. The leading barrier to allowing more aggressive actions is the intelligence gain-loss ratio, or deconfliction of friendly battlespaces. The Army should organize to employ teams that support tactical operations at corps and below echelons while reducing the standard for gain-loss decisions. Investing in this capability and demonstrating it will foster buy-in from maneuver forces and deter actions by adversaries.

Fostering innovation even during training is critical. While the Army might not have lawful authority to conduct kinetic attacks against an adversary until the United States declares war, that should not prevent the service from training for them. By the same notion, failing to let soldiers develop the tools, access and infrastructure needed to achieve results at the tactical level, even while in training, restricts innovation and eventually will contribute to the loss of the most talented operators.

Ultimately, understanding and effectively employing cyberspace operators depends on leadership. Without a base knowledge of the technical aspects of cyber work force skills, traditional leaders cannot have meaningful conversations with these highly skilled operators. Many times, attempts to communicate result in a dialogue of technical jargon—pos-sibly purposefully designed to minimize the attention span of, and time wasted by, an unskilled technocrat posing as a leader of technologists.

Only if the Army understands its top-tier cyber operators will it be able to support the initiatives and policies to lead them. Currently, Army leaders are constrained by their own experiences, and until a new generation replaces them, the ser-vice will continue to struggle with leading cyberspace operators.

Command Sgt. Maj. Rodney D. Harris, USA, is assigned to the U.S. Army Cyber Command and 2nd Army. The views expressed here are his alone and do not represent the views and opinions of the Defense Department or U.S. Army.


XXXXXXXXXXXXX

BY GREGORY CARPENTER

T he exciting advent of nanotech-nology that has inspired dis-ruptive and lifesaving medical advances is plagued by cyber-security issues that could result

in the deaths of people that these very same breakthroughs seek to heal. Unfor-tunately, nanorobotic technology has suffered from the same security over-sights that afflict most other research and development programs. Nanoro-bots, or small machines, are vulnerable to exploitation just like other devices.

But the others are not implanted in human bodies.

The phenomenal transformation of computer networks from limited and

simple to vast and complex has con-tributed to such great advances. Great but susceptible advances.

Since the introduction of the main-frame computer more than 50 years ago, experts have struggled to fully secure even a single machine. Rogue nations and terrorists repeatedly have proved they can develop technology to circum-vent U.S. attempts to safeguard networks both public and private.

Where technology has flourished, security to protect it has stagnated. This holds true with nanotechnology, which is the study and application of extremely small things measuring between 1 nano-meter to 100 nanometers. A nanometer is one-billionth of a meter. For com-parison, a human hair is roughly 60,000

nanometers to 80,000 nanometers wide, and a DNA molecule measures about 3 nanometers wide.

Though nanotechnology is relatively new, the breadth of budding applica-tions fueled by robust research and development has advanced it faster than anticipated. Nanotechnology already aids in areas such as public health, food safety, police forensics and even warfare.

The U.S. military has joined the fray of nanorobotic experimentation, embarking on revolutionary research that could lead to a range of discov-eries, from unraveling the secrets of how brains function to figuring out how to permanently purge bad mem-ories. Academia is making amazing

When Lifesaving Technology Can Kill

Tiny machines present a big cybersecurity risk that has yet to be resolved.

Phot

o co

urte

sy o

f DAR

PA This illustration shows perceived activity in the brain, which DARPA scientists are studying to develop treatments for several ailments, including neuropsychological illness brought on by war, traumatic injuries, major depression, post-traumatic stress disorder, borderline personality disorder and general anxiety disorder, to name a few.


by the Defense Advanced Research Projects Agency (DARPA), which seeks unprecedented visualization and decoding of human brain activity. The breakthrough ability to traverse the blood-brain barrier lets external forces affect a person’s brain, an impor-tant next step, but certainly not the end game in research.

A different type of technology pres-ents a risk similar to the nanopar-ticles scenario. A DARPA-funded program known as Restoring Active Memory (RAM) addresses post-trau-matic stress disorder, attempting to overcome memory deficits by devel-oping neuroprosthetics that bridge gaps in an injured brain. In short, scientists can wipe out a traumatic memory, and they hope to insert a new one—one the person has never actually experienced. Someone could relish the memory of a stroll along the French Riviera rather than a terrible firefight, even if he or she has never visited Europe.

As an individual receives a disrup-tive memory, a cyber criminal could manage to hack the controls. Breaches of the brain could become a reality, put-ting humans at risk of becoming zombie hosts for future virus deployments.

Safeguarding nanotechnologies is an issue in which everyone is a stake-holder, not just researchers, scientists and medical personnel. Hacking such technologies is easy, straightforward and can be accomplished in the same manner cyber attackers employ today. Loss of command and control of these tiny machines to an adversary would be detrimental. Solving the nag-ging enigma of securing computers, devices and networks will go a long way toward allowing nanotechnology to be further integrated into our lives without devastating risks.

Gregory Carpenter owns Gregory Car-penter Enterprises LLC and is an adjunct professor of information technology and statistics and a doctoral student of bionanotechnology security at Walden University.

advances as well. Harnessing prog-ress by Harvard scientists to move nanorobots within humans, research-ers at the University of Montreal, Polytechnique Montreal and Centre Hospitalier Universitaire Sainte-Jus-tine are using mobile nanoparticles inside the human brain to open the blood-brain barrier, which protects the brain from toxins found in the circulatory system. Until recently,

affecting the brain directly had been impossible because 98 percent of therapeutic molecules were too big to cross the blood-brain barrier.

Now imagine if wrongdoers hacked these nanoparticles.

For another project, scientists are applying mobile nanoparticle advances to research through the Neuro Func-tion, Activity, Structure and Technol-ogy (Neuro-FAST) program funded

This illustration depicts use of nanorobots to annihilate cancer cells.

Phot

o co

urte

sy G

rego

ry C

arpe

nter

This illustration depicts a conceptual representation of nanorobotics creating an avatar.

Phot

o co

urte

sy G

rego

ry C

arpe

nter


Slow Speed Ahead for Contractor Compliance

New DFARS cybersecurity regulations are demanding, especially for small businesses, but solutions exist.

C omplying with federal cybersecurity stan-dards, though essential for the defense indus-trial base and national security at large, presents immense fiscal challenges for smaller businesses that struggle

every day to meet the demanding require-ments—without breaking the bank.

If not addressed soon, small business noncompliance with the standards spelled out in the Defense Federal Acquisition Regulation Supplement, or DFARS, could have the unintended consequence of severely diminishing the sector’s role in defense contracting, exacerbating concerns about bringing the entire industrial base into compliance. It is a responsibility shared by all businesses doing work for the Defense Department—small, medium and large.

The consternation began in November 2013, when DFARS subpart 204.73 went into effect and required all Defense

Department contractors to comply with a designated set of security controls outlined in the National Institute of Stan-dards and Technology (NIST) Special Publication 800-53. The publication was issued as a direct response to the grow-ing number cyber espionage incidents where adversaries stole sensitive government information—often from a contractor or subcontractor. The change mandated compliance when unclassified controlled technical information (UCTI) passed through or was stored in defense networks or systems.

In spite of the mandate, not much happened when it actually went into effect.

The DFARS imposition of cybersecurity requirements on contractors for the first time led to considerable confu-sion—and resistance—about the implementation approach. Contractors did not know, for example, when to apply UCTI restrictions; who would review and enforce the standards from within the government; or who would cover the cost

BY MICHAEL SEMMENS


of bringing contractor systems into compliance. In fact, few contracting officers even included the clause in contracts, and most made no effort to validate implementation con-trols. Large contractors hesitated to hire auditors to inspect their subcontractors, yet held tightly to anxious concerns about liability risks based on their subcontractors’ state of compliance—or lack thereof.

This major issue has slowed implementation of the cyber-security DFARS clause into contracts. The Defense Procure-ment and Acquisition Policy (DPAP) tracks and grades contracting practices in all the services and defense agen-cies such as the Defense Logistics Agency and Defense Contract Management Agency. During the first quarter of 2014, following issuance of the DFARS cybersecurity requirements, less than 20 percent of defense contracts con-tained the requirement clause. However, midway through 2015, roughly 80 percent contained it—a clear indication that a goal of 100 percent participation is not far away. The take-away is that all defense contractors, going forward, will need a compliant cybersecurity profile to receive contracts. The stakes are high for contractors big and small: If they don’t play by the rules, they will be out of the game.

Although slow, the effort to achieve compliance has recorded some progress. Updated regulations now cover cloud computing. The original DFARS clause pointed to 51 controls and enhancements that required contractors to notify the Defense Department through a special portal within 72 hours of a cyber incident. The new requirements broadly define the information contractors must seek to protect and mandate that breached companies provide copies of preserved images of compromised media. In September, the DPAP published significant revisions that changed the basis of compliance and broadened the defini-tion of protected information to what is now called “cov-ered defense information.” Additionally, the DPAP requires prior approval from the Defense Department’s chief infor-mation officer (CIO) for any deviations from compliance and restricts the use of cyber incident information provided by third-party contractors. During the bidding process, businesses also must declare their intentions to use cloud computing or request approval from a contracting officer, who must get the OK—a lengthy and difficult undertak-ing—from the Defense Department’s CIO.

Compliance can be daunting, requiring an in-depth understanding of the standards, assessments and appropri-ate remediation procedures. Well-trained in-house staff can perform the assessments, or businesses can hire quali-fied service providers to do audits. Until recently, how-ever, assessment and compliance tools were labor-inten-sive spreadsheets and text documents, complicating the already arduous but vital record-keeping process needed for accreditation and certification to do business with the Defense Department.

As it stands, the government offers no certification rules, which means some contractors provide “self-certifications” of compliance. Arguably, the practice presents a seri-ous conflict of interest—if not actual, then certainly at least perceived. In some cases, service providers sup-ply letters attesting compliance, but the practice lacks standardization.

An effective and affordable solution is the Defense Industrial Base Information Sharing and Analysis Center’s (DIB ISAC’s) CyberVerify process and a database software tool called the i2ACT-800, developed by Imprimis Inc., which helps reduce the labor and cost of compliance. CyberVerify, recognized as a qualified third-party cybersecurity auditor, assesses systems of record and offers remediation services as required. The DIB ISAC reviews audit results and awards compliance certificates when contractors meet all requirements. Contractors also can use the Department of Homeland Security’s Cyber Security Evaluation Tool (CSET), but it does not include the NIST 800-171 requirements that outline procedures for protecting UCTI in nonfederal information systems and organizations. It also does not lend itself to convenient auditing of cybersecurity controls and practices.

The i2ACT-800 is designed specifically for cyberse-curity compliance auditing and document control and contains more than two dozen baselines from the DFARS and NIST guidelines. The solution can be tailored with overlays designed to fit an organization’s exact cyber-security requirements, and it uses numerous questions, supplemental guidelines and suggested evidence to aid in the assessment process. It contains various sections, from references to risk categorization, assessment, report and database management. The document-management feature combines information into a single file, and the report-capability component provides contracting officers, prime contractors and auditors with the needed reports. It allows up to 20 people to collaborate on a single assess-ment database at once, a significant time-saver. Finally, it provides DIB ISAC with a consistent, standardized format for certification.

Case studies indicate that i2ACT-800 decreases the work involved in performing an initial assessment by at least 50 percent and reduces the labor associated with updating an assessment by 75 percent to 80 percent. CyberVerify with i2ACT-800 makes compliance viable for all businesses and provides a model that lets prime contractors rapidly, and in a standardized method, assess subcontractor cybersecurity compliance. And that could be a relief to contractors big and small seeking to do business with the government.

Michael Semmens is president of Imprimis Inc., an organi-zation supporting government and private businesses with cybersecurity compliance tools and space-based technology, advanced engineering and structured training.


Documents

SIGNAL’S QUARTERLY SPECIAL SECTION · space proves worrisome, warned Adm. Michael Rogers, USN, director of the National Security Agency and com-mander of U.S. Cyber Command, at