Automation must be a critical element of our nation’s cybersecurity strategy | by Gia DeHart | Rebellion Defense | May, 2022
The Pentagon, at 6.6 million square feet, is the world’s biggest office building. In the digital world, the Pentagon is also the world’s biggest target for state-sponsored cyber warriors. Every day, for example, the Pentagon receives some 36 million emails trying to break into or disrupt its systems. Many come from authoritarian regimes who would like to compromise America’s national security or undermine our system of democratic freedoms.
The sheer scale of this onslaught indicates that defeating it requires machines — smart machines with software that is constantly being updated. To illustrate the challenge: even if every one of the 26,000 designated personnel who go into work at the Pentagon every day did nothing else apart from monitoring systems for cyber attacks, they would still not come close to solving the problem.
Commanders within the Department of Defense (DoD) are already aware of the cyber threats, and are seeking ways to improve their visibility into the full extent of the specific risks involved: they simply have too many “unknown unknowns.” The personnel working on cyber defenses are overstretched, spread across numerous departments, and — because they rely primarily on manual processes — they struggle to keep pace with the sheer number of machine-scale cyber attacks and network penetration attempts they face.
To make matters worse, there is a vast skills shortfall, with an estimated 600,000 unfilled cyber positions across the United States in both government and industry. With such a labor shortage, DoD’s cyber readiness concerns cannot be addressed through the use of human cybersecurity operators alone.
Furthermore, even when human operators run adversarial “red team” tests and compile lists of cyber vulnerabilities, operational commanders often cannot determine which ones pose an immediate danger to their mission and hence require urgent attention. Their overworked cyber defenders simply don’t have the necessary context to prioritize risk.
In March 2021 the Government Accountability Office (GAO) reviewed DoD’s cyber defenses — including those for its weapons systems. They found that with “simple tools and techniques, testers were able to take control of systems and largely operate undetected.” The DoD’s Director, Operational Test and Evaluation (OT&E), later reported that “broader use of automated testing methods, perhaps enhanced by artificial intelligence and machine learning, also is necessary; relying solely on people to conduct cybersecurity OT&E no longer is feasible due to the scale and scope of the testing requirement.”
The DoD needs to implement regular automated cybersecurity testing — red teaming — to emulate what our adversaries might do before they do it. Automated red teaming will give commanders oversight of the entire landscape of cyber threats, allowing them to flag what is mission-critical in their networks, and to identify the most serious vulnerabilities which need to be immediately fixed.
This is a dynamic process, as our adversaries adapt to our countermeasures and develop ever more sophisticated techniques to penetrate our systems. At the moment the DoD conducts primarily human-driven red teaming, but often just once or twice a year — even as hostile actors like Russia’s Cozy Bear or China’s Unit 61398 update their malware and develop new exploits on a daily basis.
Automated cybersecurity testing would map components, inventory assets, and then probe for vulnerabilities, using the most up-to-date exploits that mirror real-world threats and reflect knowledge of adversaries’ tactics. Systems would then be tested using current methods actually employed by adversaries, illuminating how a system might stand up to such attacks. Tests would be frequently executed to give blue teams — the defenders — realistic scenarios against which to measure their efforts, before facing actual adversaries in real-world attacks.
This approach would situate weaknesses within the context of actual mission impact, giving commanders actionable cyber risk intelligence, allowing them to take corrective action and prevent threats to their mission. Blue team operators could run a suite of adversary emulations on-demand and iteratively test and refine their defenses.
Additionally, to keep up with the latest exploits from our adversaries, the DoD should be using a Software-as-a-Service (SaaS) solution to do its testing. SaaS can be constantly updated and improved; while the old model of shipping a static piece of software worked for many years, with today’s rate of technological change, software must constantly adapt in real time to new mission requirements and objectives. As new threats emerge, they can and should be quickly integrated into the software.
The Pentagon houses the headquarters of the Department of Defense, which has a total of 2.8 million military and civilian employees around the world. Humans can and will make mistakes. Only with the help of machines can human red teams and network defenders act quickly and broadly enough to prevent those mistakes from becoming real liabilities.
About Rebellion Defense: Rebellion builds mission-focused AI products for the defense and security of the United States, the United Kingdom and our allies.
Our people are passionate about creating a company where technologists empower the military and our civil servants to solve some of the hardest problems in government.
We are hiring! Check out check out our Careers page, or contact us at inquiries@rebelliondefense.com.
Gloss