The Defense Logistics Agency (DLA) provides more than $42 billion in goods and services annually while supporting U.S. combat logistics around the world. With about 26,000 employees operating in 28 countries, how does DLA monitor cyberthreats?
Increasingly, the answer is cyber intelligence. In an interview with GovLoop, Chief Information Officer (CIO) George Duchak and Director of Cybersecurity Linus Baker explained how DLA – and the Defense Department (DoD), its parent agency – stays informed about the global threat landscape.
The interview below has been lightly edited for brevity and clarity.
GOVLOOP: How is traditional, perimeter-based cybersecurity getting harder?
BAKER: I would say it has probably been an increasing concern outside of DLA more so than inside DLA. It’s because of the fact DLA was well-postured. We had been on a course that charted remote work as a normalcy. Our cyber operations staff, mainly our CSSP/CERT – our Cybersecurity Service Provider/Computer Emergency Response Team – they’ve been postured and executing their monitoring, their response, their incident handling against a robust remote workforce prior to the COVID-19 pandemic. For DLA, it wasn’t much of a shift.
One of the things I would tell you is more of a concern than it has been in the past is the large number of endpoints that are seated on our networks today, especially with mass telework becoming the norm over the last few months. Identifying and confirming anomalies and positive, adverse actions has become more difficult. It has amped up our attention on automation, machine learning and robotic process automation and bringing that into the fold to a greater degree across the cybersecurity spectrum. It is almost a must now because of the massive amounts of data to sift through to get to what you’re seeking.
DUCHAK: Perimeter security doesn’t really protect against the biggest vulnerability that any organization has, and that’s phishing. That’s something that’s very difficult to defend against. We have a good spear-phishing campaign where we’ll send out targeted emails to our folks to see if they’ll click on things they shouldn’t be.
The second thing about perimeter security is you’ve got to know what’s on your network. We’re just starting – as well as all of DoD – with this concept of “Comply to Connect.” You can’t put an unknown piece of hardware on your network. It must be validated. The patching must be up to date. You’ve got to get a driver’s license before you’re allowed to drive on the network.
How can DLA improve its threat intelligence?
BAKER: For threat intelligence to be useful, it’s got to be targeted towards the mission. There’s a lot of backend work that must be done first. You’ve got to understand the mission. You’ve got to understand from a strategic perspective how valuable the IT you deliver is. What does it enable? When you begin to target the enabling capabilities, what you deliver as part of the mission, then you can begin to pull out those crown jewels and begin to understand what’s important from an infrastructure perspective, down to a business system perspective, down to a sensor that drives some mechanical functions. We’re heavily dependent on operational technology for some of our mission. We’re talking pipelines, fuel and energy, shipping and refining. Operational technology is key to this.
Logistics operations is what we deliver to the warfighter. Understanding that mission and that cyber terrain, now we can begin to target threat intelligence. That enables me to execute the intelligence preparations for cyberspace that matter to DLA.
That’s how I see agencies leveraging cyberthreat intelligence. Otherwise, it’s just data that’s there and it is hard to make sense of if you haven’t done the work to understand your business or your mission.
Does cyber intelligence give you the best possible information to make an informed decision about something related to DLA’s mission?
BAKER: You must prioritize. All threat intelligence might not necessarily rise to the level of other threats. That’s why it needs to be targeted.
We’ve taken steps to prioritize our remediation efforts. We recognize we’re not going to be able to swallow the ocean in trying to execute our cyber defense mission where it’s most needed. Prioritization is key and that’s how you target threat intelligence.
DUCHAK: Fundamentally, organizations that don’t have a threat intel cell behave differently. First, threat intel doesn’t equal cybersecurity. Threat intel is more about the who, understanding the motives of the threat actors, what targets they’re going after, and their behavior. Cybersecurity is more about what to do about it. Having a threat intel cell focuses the mental model at your organization from being reactive to being proactive. You start getting out in front of the threat. If you don’t have a threat intel cell, all you’re doing is reacting constantly to what someone else is doing to you.
What cyber intelligence lessons would you share with other agencies?
DUCHAK: You must understand your landscape. The reality is we are a target and we’re going to be a target. Part of cybersecurity at any organization is you don’t want to spend money on it until you need it. And you don’t need it until you’ve been had, and, by then, it is too late. There’s always this dynamic tension within an organization when you’re trying to fund cybersecurity.
At some point, when do you know you have enough cybersecurity? Is it 10, 20, 30 products? There is a certain law of diminishing returns there. Every agency is in a box in terms of cost constraints and must determine what’s the right product mix at their agency. Enlightened leadership understands it does cost money to be secure. What we’re securing is national defense.
What’s the main takeaway about cyber intelligence?
BAKER: It is the criticality of good, accurate cyberthreat intel and having those feeds consistently available. It is having the cybersecurity infrastructure in place to leverage data and target efforts where they matter most given your business and mission. It is central to your cyber resilience capabilities. It is central to your ability to be proactive rather than reactive. If we’re proactive, we can begin to do things before vulnerabilities have propagated across our ecosystems. That’s a paradigm shift that’s necessary as we go forward.