There is no shortage of security challenges facing the new Biden administration. One of the most important of these is securing federal government agencies, especially the Department of Defense (DoD), against cyber intrusions. Several factors are increasing the urgency of this task. The pandemic has led to a large remote federal workforce using various systems, networks and applications. Even when the pandemic ends, working remotely is likely here to stay. However, the federal government moved more of its activities to the cloud and radically expanded the number of endpoints (computers and other smart devices) on its networks well before the COVID-19 outbreak. The potential attack surface is enormous, particularly when you include the DoD's connected sensors, platforms, command and control centers, and weapons systems that are part of what some are calling an "Internet of Military Things."
The evolution of government networks is dramatically increasing the opportunities for hostile actors to access them. The SolarWinds supply chain attack exposed vulnerabilities in major commercial and public-sector enterprises, including the U.S. Treasury and the Departments of Homeland Security, State, Commerce and Defense. The discovery of the SolarWinds vulnerability set off a scramble within commercial and government networks worldwide to determine where devices were running the Orion product that was infected with malware.
SolarWinds underscored a major vulnerability in both public and private networks. What is lacking in most organizations, inter alia, is the ability to determine what devices are connected to a network. The federal government overall, and most importantly, DoD must enhance their ability to secure their networks and devices. When it comes to countering threats, both physical and cyber, the government cannot defend what it cannot see.
Having a high-confidence, real-time picture of what devices are on a network is the first step in providing security against cyberattacks. Once a reliable picture of a network is established, defenders will identify devices that do not have sufficient security or lack permission to access the network, then isolate them.
To meet this objective, DoD, with Congressional support, has been moving forward on a program called Comply-to-Connect (C2C). C2C is a congressionally mandated five-year cybersecurity program passed into law through the FY 2017 National Defense Authorization Act (NDAA). The Defense Information Security Agency (DISA) is a driving enabler of C2C, providing the tools and training for implementing C2C throughout the DoD.
At a recent virtual event on the evolution of the DoD Information Network, Carmen Santos-Logan, Deputy Director for Cybersecurity Architecture and Capability Oversight and Team Lead for the Enterprise Cybersecurity Capabilities at DoD, described C2C as “an overall cybersecurity framework of tools and technologies that are fused together through the concept of security product orchestration to deliver a unified cybersecurity platform for the department network.”
One advantage of the C2C framework is that it does not require network managers or users to trust that the network is secure, as all users are both authorized access and are compliant with the minimum standards of security. C2C allows for an environment of zero trust. In essence, with C2C, all users and devices must prove their legitimacy to be allowed to operate on DoD networks. Those devices that may be authorized but lack the proper security software can be remediated.
C2C was originally a pilot program involving the National Security Agency, the Air Force and Marine Corps, with a goal of successfully managing as many as 20,000 endpoints. The Marine Corps has been particularly aggressive in employing C2C. C2C allowed the Marine Corps to quickly assess potential vulnerabilities to the SolarWinds incident, thus mitigating the danger.
After some five years of development and experimentation, C2C has proven itself. Last year, The DoD Chief Information Officer directed DISA to bring C2C to the broader DoD IT enterprise. In response, DISA released a Request for Information (RFI) looking for support in expanding C2C across most of DoD’s networks.
As stated in the RFI: “The C2C solution will allow real time visibility of all IP endpoints, network infrastructure, and internet of things devices. By identifying the non-compliant and previously unidentified devices, DoD will be able to isolate these assets and mitigate risk in an automated fashion, which will significantly increase the security posture of the DODIN.”
DISA has published its plans to bring C2C to DoD’s enterprise-wide unclassified network, or NIPRNet, before the end of 2024 and to its classified network called SIPRNet by mid-2023.
The DoD CIO reportedly signed a memorandum on January 28 to address where IEEE 802.1X—a decades-old networking protocol that governs how hundreds of thousands of devices are connected to networks—may now be applied based on the C2C framework. The issue with IEEE 802.1X is in its lack of support for Operational Technologies such as control systems.
C2C will allow security professionals to ultimately remove the immutable requirement of IEEE 802.1X for Network Access Control. DoD can then use policy-based authentication methods to continuously enforce the security, proper configuration, and compliance of all devices.
C2C also can help address the challenge of protecting Operational Technologies that are part of large private sector systems, such as the power industry. The trend towards monitoring and managing control systems and sensors remotely saves manpower and reduces costs but also creates cyber vulnerabilities.
It is important to recognize that C2C can address many of the network security problems plaguing both government and the private sector. One of the most important effects of the CIO’s directive to DISA to implement C2C across DoD is that it will counter the efforts by some components to develop their own stand-alone network monitoring and compliance capabilities. C2C can also support non-traditional IT managers in such areas as civil engineering, logistics and security services, who are searching for solutions to the cybersecurity problems that the convenience of the connected world has created.
Dan Gouré, Ph.D., is a vice president at the public-policy research think tank Lexington Institute. Gouré has a background in the public sector and U.S. federal government, most recently serving as a member of the 2001 Department of Defense Transition Team. You can follow him on Twitter at @dgoure and the Lexington Institute @LexNextDC. Read his full bio here.