18 June 2021

DoD Budget Requests Funding For Key Defensive Cyber Measures

By BRAD D. WILLIAMS

WASHINGTON: The Defense Department’s 2022 proposed budget provides a boost in funding for key defensive cybersecurity measures.

Comparing the 2022 request to the 2021 request reveals a few notable funding shifts:

A new line item for implementing zero-trust architectures.

Increases for zero-trust security enabling technologies, including cryptology, identity and access control management (ICAM), and automated continuous endpoint monitoring (ACEM).
A decrease in funding for overseas “hunt-forward” cyber operations.

An increase in Cyber Mission Force teams by four.

What does this portend?

Implementing Zero-Trust Architectures

The 2022 budget requests $615 million for “imbedding” zero-trust architectures.

As BD readers know, the US government has made a major push to promote zero-trust security. During a recent interview with BD, NIST scientist Oliver Borchert noted that zero-trust security “is not one single product that one can purchase off the shelf.” Instead, Borchert’s comments reiterated NSA’s characterization of zero trust as “a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy.”

What does zero trust look like in practice? The zero-trust model is detailed in a new, 170-page document recently released by DISA. DISA’s Zero Trust Reference Architecture complements publications on zero-trust security previously published by NIST and the NSA.

To illustrate the zero-trust concept, DISA’s doc includes a graphic (below) in which security capabilities are mapped to the assets that must be protected, as well as security operations tools (i.e., visibility and analytics, automation and orchestration).

Source: DISA

It notes, “While straightforward in principle, the actual implementation and operationalization of Zero Trust incorporates several areas which need to be smartly integrated. …Implementing Zero Trust requires rethinking how we utilize existing infrastructure to implement security by design in a simpler and more efficient way while enabling unimpeded operations.”

And, the DISA doc says, “Apart from the advantages to securing our architecture in general, there are additional cross-functional benefits of Zero Trust regarding cloud deployments, Security Orchestration and Automation (SOAR), cryptographic modernization, and cybersecurity analytics.”

But the DISA doc is also realistic about the challenges of moving to a zero-trust architecture. It therefore provides a graphic illustrating zero-trust maturity levels, along with the necessary steps organizations can take to begin implementing this robust security model.

Source: DISA

Implementing zero-trust models will be a journey through multiple stages for most organizations, not a one-step process. And key to zero trust’s successful implementation will be tying together several enabling technologies into an integrated architecture.

Zero Trust Enablers

The 2022 budget includes significant funding increases for several zero-trust enabling technologies.

As NSA Executive Director Wendy Noble noted in April: “The zero-trust model is predicated on encryption algorithms and key exchange processes that are quantum resistant. Likewise, fine-grain, cross-domain management of authorities and access controls must be embedded throughout the architecture.”

Noble’s viewpoint is reflected in the budget request, which includes:

$980.9 million for cryptology, an increase in the request by $302 million year over year, which appears to be the single largest increase.

$243.9 million for ICAM versus a requested $198.5 million in 2021.

In addition, zero trust requires continuous monitoring, a move toward establishing anomalous behavior detection, and significant security automation, as reflected in DISA’s Zero Trust Reference Architecture and NIST’s Special Publication 800-207 Zero Trust Architecture.

Speaking at a Billington Security event earlier this year, Gen. Keith Alexander, who previously led CYBERCOM and NSA, noted the need to “chang[e] the mindset and approach to what we’re doing. By anybody’s standard, cybersecurity’s not working. We’re not defending. We’re not even close.”

This change in mindset and approach includes, in Alexander’s view, a move from “static” to “dynamic” cyber defense, which entails what Alexander calls an “automated defense capability.” An element of this capability will be provided by ACEM, which the 2022 budget proposes funding at some $272.5 million more than requested in 2021.

“Hunt-Forward” Cyber Operations

The single biggest reduction in proposed year-over-year cyber funding request appears to be in overseas “hunt-forward” cyber operations, with a $284.4 million cut to $147.2 million in 2022 versus a requested $431.6 million last year.

CYBERCOM and NSA chief Gen. Paul Nakasone has said “hunt forward” includes “executing operations outside U.S. military networks.” This entails proactively identifying security vulnerabilities in partners’ overseas networks, with their permission, and then sharing information to improve overall cybersecurity posture.

Hunt forward falls under the doctrine of “persistent engagement,” which Nakasone has said, “focuses on an aggressor’s confidence and capabilities by countering and contesting campaigns short of armed conflict.” Persistent engagement was formalized in DoD’s 2018 Cyber Strategy.

In congressional testimony this spring, Nakasone has referenced hunt-forward operations in support of the 2020 elections, saying CYBERCOM conducted “11 hunt-forward operations in nine different countries for the security of the 2020 election.”

Expanding Cyber Mission Force

One of the biggest questions right now about the proposed 2022 cyber budget revolves around this expansion of the Cyber Mission Force.

According to the 2022 and 2021 budget documents, existing CMF teams include:

13 National Mission Teams to defend the United States and its interests against cyberattacks of significant consequence.

68 Cyber Protection Teams to defend priority DoD networks and systems against priority threats.

27 Combat Mission Teams to provide support to Combatant Commands by generating integrated cyberspace effects in support of operational plans and contingency operations.

25 Support Teams to provide analytic and planning support to National Mission and Combat Mission teams.

The number of these existing teams appears to hold steady year over year, but the budget overview indicates there will be four additional teams added in FY 2022.

Details on the role, composition, and costs of the four new CMF teams are sparse in the budget document, although it does note “additional funding and civilian manpower, and adjusts military manpower.” The document also notes the four teams will support “increased cyber operations” and provide cyber support for space operations.

No comments: