(June 2, 2016) – During my initial months as CIO of the Air Force, I thought that our cyber security was pretty good. After all, the Air Force is a highly technical organization and a culture of security was pervasive in the military. My false sense of comfort was punctured by a couple of security penetration tests conducted against the Air Force by the National Security Agency (NSA). In short, they found systemic weaknesses in every area that they evaluated.
My initial reaction was one of disbelief. How could we be spending almost a billion dollars on cyber security tools and personnel and still have systemic weaknesses? It was clear that these findings were not the result of a lack of resources. I asked the NSA to advise me on where I should start in getting on a path to improved cyber security. In response to my request, NSA shared that approximately 80% of cyber-attacks targeted software that was not configured properly (i.e., software was not installed with protections enabled or up to date patches were not installed). This clearly was the place to start to improve cyber security in the Air Force.
The NSA’s input became the basis for an initiative to deploy a security-hardened version of Microsoft’s operating system on all desktops, laptops, and servers. We also implemented automated tools to ensure that all instances of the operating system were updated and patched properly. Fielding the hardened operating system on Air Force desktops and servers took about eighteen months, mostly due to the need to modify applications that had used now disabled operating system functions that were assessed to be a security risk.
The results of this project were enlightening. Deploying the hardened operating system and automated configuration management tools resulted in a significant reduction in security breaches. This result was expected. What was not expected, however, was the resulting increased operational availability (i.e., less down time) and significant reductions in cost of operations. These results were a huge “aha” moment for me—improved security can also be operationally beneficial and cost less.
An Air Force Colonel explained the results this way: “If you establish standard configurations and you don’t tinker with them, the systems don’t break and don’t require much maintenance”. In this case, standard configurations and deploying appropriate automated support to ensure that configurations were kept current required far fewer personnel. Thus, we discovered that strong configuration management was not only a good security practice but was also a sound economic investment.
Other large organizations have found that focused cyber security efforts can yield major improvements in security. In 2012, the Australian Signal Directorate found that implementation of just four controls mitigated at least 85% of cyber threats. In a parallel effort, a community consensus effort developed the Critical Security Controls (CIS Controls) that addressed approximately 80% of the most frequent attack patterns. The Controls have been widely adopted as a sound approach to address most common cyber security threats.
Experience with implementing the CIS Controls has validated that so-called good “cyber hygiene” is the necessary foundation for building a resilient cyber infrastructure. Many of the Controls, such as asset tracking, configuration control, and control of administrative privileges, can be readily seen as necessary systems and network management practices; you cannot secure a cyber environment without first establishing foundational management disciplines. Anomalous events (attacks) can be identified only if the behaviors of normal operations are well understood. Moreover, as I found with the Air Force implementation of a standard locked down Microsoft operating system, good hygiene can reduce costs in addition to reducing vulnerability to cyber-attacks.
So, what are the lessons that I have learned from these experiences. My experiences in the Air Force showed me that large investments in advanced tools and uncoordinated cyber security approaches do not necessarily improve security. Improvements in security require a solid and focused foundation such as implementation of the CIS Controls which makes it is possible to make significant progress by addressing a small number of areas, specifically those tied to the most frequent threat patterns. In addition, the foundation is a necessary prerequisite for tailored investments that target organization-unique security issues and evolving threat patterns. I will address this topic in a future