Cover: Unclassified and Secure

Unclassified and Secure

A Defense Industrial Base Cyber Protection Program for Unclassified Defense Networks

Published Mar 30, 2020

by Daniel Gonzales, Sarah Harting, Mary Kate Adgie, Julia Brackup, Lindsey Polley, Karlyn D. Stanley

Download

Download eBook for Free

FormatFile SizeNotes
PDF file 1.8 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

Purchase

Purchase Print Copy

 Format Price
Add to Cart Paperback150 pages $37.00

Research Question

  1. How can DoD better help protect the DIB against cyber attacks?

The defense industrial base (DIB) is under attack. Foreign actors are stealing large amounts of sensitive data, trade secrets, and intellectual property every day from DIB firms — contributing to the erosion of the DIB and potentially harming U.S. military capabilities and future U.S. military operations. The U.S. Department of Defense (DoD) has taken steps to better secure systems against cyber threats, but most protections in place focus on classified networks, while unclassified networks have become an attractive entrance for adversaries seeking access to cutting-edge technologies and research and development efforts. To address this problem, DoD has increased regulations and introduced new security controls, but the current approach may be insufficient.

This report offers DoD a way ahead to better secure unclassified networks housing defense information — through the establishment and implementation of a cybersecurity program designed to strengthen the protections of these networks. The program offers a means for DoD to better monitor the real-time health of the DIB and ensure that protections are in place to prevent the disclosure of sensitive corporate information from DIB firms or sensitive supply chain information across the DIB. The program also includes a means to offer qualified small DIB firms access to cybersecurity tools for use on unclassified networks, for free or at a discounted rate, to ensure that affordable protections are accessible to all DIB firms. Advanced persistent threats and sophisticated cyber attacks will not stop, but this program can help build stronger defenses, develop more-coordinated responses, and help maintain the technological superiority of U.S. military forces.

Key Findings

DoD's current approach to defending DIB firms against cyber attacks is inadequate

  • The cybersecurity architectures of small DIB firms are likely to be deficient in several key areas: user authentication, network defenses, vulnerability scanning, software patching, and security information and event management, or cyber attack response.
  • Current DoD cybersecurity requirements are unaffordable for many small and some medium-sized DIB firms.
  • DoD's voluntary cyber threat sharing service is not available to many DIB firms.
  • New cybersecurity tools can significantly strengthen the cyber defenses of DIB firms, but most small DIB firms cannot afford them.

Recommendations

  • DoD should establish a DIB Cyber Protection Program (DCP2) to improve the monitoring and real-time health of the DIB, improve cybersecurity for firms that cannot afford the needed CSTs and professional staff, and offer data and legal protections to DIB firms.
  • The DCP2 would be a voluntary program under which DoD would provide CSTs to DIB firms either free of charge or at significantly reduced licensing costs. In turn, the DIB firms would agree to provide sanitized data produced by the CSTs to a security operations center (SOC) — either one run by DoD or a trusted third-party SOC — devoted exclusively to defending the DIB.
  • The DIB SOC or commercial SOC would provide dynamic intelligence, security alerts, and recommended actions to DIB firms to identify and remediate advanced persistent threat incursions and to prevent the exfiltration of important information from the unclassified network of the DIB firm.
  • The DCP2 would enable real-time threat intelligence to be collected and synthesized across the DIB in ways currently not possible, while respecting the confidentiality and proprietary nature of DIB contractor supply chains.

Funding for this project was made possible by the independent research and development provisions of RAND's contracts for the operation of its U.S. Department of Defense federally funded research and development centers.

This report is part of the RAND research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit www.rand.org/pubs/permissions.

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.