Ransomware is commonly conceived as a commercial issue, but it has the potential to threaten the Department of Defense’s data as well.
That’s why Defense agencies have utilized operational strategies to address attack vectors and build a workforce that can block ransomware as the federal government continues to transition toward storing its data in the cloud.
“We constantly are aware of the environment that’s going on around us. Part of that is that aptitude that we need to have to always be ready. We stand at 24/7 watch; we provide that support to the most attacked entity in the world,” Navy Rear Admiral Brian Hurley said on Federal Monthly Insights: Going Beyond Data Protection. “And so ransomware is a concern, because it’s the aptitude or the ability for malicious actors to use that aggressively in our domain.”
To ensure DoD responds to the 1,000 or more cyber attacks it faces daily, the Defense Information Systems Agency has employed a task force that reaches the department’s wide-ranging apparatus — including cloud service providers, Cyber Command, JFHQ-DODIN and CISA at the Department of Homeland Security, for example.
“When we have an incident, whatever that might be, even if it’s to support, you know, an Afghanistan mission or whatever the case may be, we have a task force. We have collaborative means to where we set up a war room for urgent matters,” David Smith, cybersecurity center chief at DISA, said on the Federal Drive with Tom Temin. “And therefore, we talk to CISA, Department of State, nation actors, as far as stakeholders based on this particular thing.”
Part of DoD’s playbook for effectively detecting ransomware includes having a knowledgeable workforce. DISA, for instance, hires cybersecurity professionals with nationally recognized certifications, and then trains those employees through rehearsals and simulations.
Hurley said this kind of training extends to the user community as well — so that everyone within the ranks, including administrators, is on the lookout for ransomware incidents. Service members are trained to know how to report attacks, who to report to, and the urgency with which they should be reported.
In terms of protecting data within DoD, agencies have employed more technical bulwarks, such as dual-factor authentication, asset inventory and encryption mechanisms.
“We determine what’s more vital to our operation, as far as data goes. We’re determining what’s acceptable, as far as loss of data. Worst case scenario, if the answer is zero — in other words, not one minute of data can be lost — then we have fault tolerance and remote journaling to where we don’t lose any data,” said Smith. “As far as the corruption part, that’s based on, obviously, we would work encryption into our backups as far as the keys and all that stuff. And then we would basically encrypt to the last known point of good data. But it’s all based on how we define its criticality to our operation.”
As cloud services have become an integral part of data storage within DoD, DISA and other defense agencies are also working with cloud service providers like Microsoft and Amazon to ensure they meet federal requirements — like FedRAMP — and provide intelligence about cyber attacks they might face. DISA consistently communicates with cloud vendors, and allows them to have controlled access in areas where they maintain the cloud, to improve responsiveness.
However, Smith said the key ultimately is to have trusted agents who are able to provision and de-provision assets.
“The key is making sure that the people you do entrust with that level know exactly what they’re doing, and certainly know exactly the impact globally — impacts of your assets — not only to our operation, but to [Department of Defense information networks] operations and other DoD and, in some cases, federal task force,” said Smith. “So you’ve got to make sure they’re in the know if you’re going to give that level of power.”