ActiveCyber Interview with Mr. Curtis Dukes – Deputy National Manager for National Security Systems at NSA

Curt Dukes of NSA discusses NSA’s Active Cyber Defense (ACD) program and highlights how academia, industry and government are moving forward to “achieve the key ACD goal of defensive response within cyber-relevant time.” Learn about the genesis, the goals, and the accomplishments of this program to date in the interview below with ActiveCyber.net.

If you have been a reader for this site for any time, you will know that I have been closely following the work sponsored by NSA on active cyber defenses. Back in September I attended a conference where Mr. Curt Dukes was speaking and asked him about the ACD  program – one of the many IA programs he oversees as Director of the NSA Information Assurance Directorate at the time.  Mr. Dukes was also kind enough to accept my invitation for an interview to offer ActiveCyber readers his perspectives on how the ACD program is advancing and why it has the ability to transform our approach to securing our national security systems as well as the everyday systems you rely on at work and at home. Learn about these advances in the interview below.

Spotlight on Curt Dukes, Deputy National Manager for National Security Systems, NSA

» Title: Deputy National Manager, National Security Systems, NSA
» Website: https://www.iad.gov/iad/programs/iad-initiatives/active-cyber-defense.cfm
» Linkedin: https://www.linkedin.com/in/curtis-dukes-aa9966129
Read his bio below.

November 15, 2016

Chris Daly, ActiveCyber: NSA has a program for Active Cyber Defense underway for the last couple of years. Could you please explain the background for the genesis of this program, and key objectives that you are trying to attain?

Mr. Curt Dukes, NSA: In 2011, the United States Department of Defense (DoD) published a strategy for Operating in Cyberspace. This strategy expressed the need for Active Cyber Defense (ACD), and defined ACD as: “DoD’s synchronized, real-time capability to discover, detect, analyze and mitigate threats and vulnerabilities.” Since then, we’ve been working on establishing frameworks for functions, capabilities and activities that will facilitate DoD’s desired results from operationalizing ACD. The intent of these frameworks is to engage industry in identifying and elaborating on solutions to integrate, synchronize and automate courses of action to achieve our key goal of defensive response within cyber-relevant time.

Cyber-relevant time is a term that encompasses a range from milliseconds to minutes depending on the battle space. If the battle space is within the CPU, we’re talking microseconds. If the battle space is between two computers separated by a satellite we’re talking milliseconds to seconds; add live operators and we’re talking seconds to minutes. The point is to execute a defensive course of action before an adversary can bring about their desired result.

ActiveCyber: What outcomes have the Active Cyber Defense program obtained to date, and what are your expectations for the future? Who are the target customers for these outcomes?

Dukes: Our outcomes to date include Johns Hopkins University Applied Physics Lab (JHU APL) work on integrated adaptive cyber defense (IACD) and their success in integrating many Commercial Off the Shelf (COTS) products to achieve automated detection, decision and response. There are regular meetings of current and potential vendors to share JHU APL results, lessons learned and engage in furthering our vision of ACD. More details are available via IACD Community Days webpage (https://secwww.jhuapl.edu/iacdcommunityday/). The primary beneficiary from these outcomes is the cyber defense industry that includes benefits to government by virtue of implementing COTS solutions for ACD developed and maintained by commercial vendors.

Another example of progress to date… the notion of improving defense action time is inherent with ACD and includes both detect and defend as well as predict and preempt potential effects. The latter implies the need for predictive analytics. In collaborations with the Army we have made significant progress in big data and streaming analytics to drive proactive response to cyberspace activity.

With regards to future expectations, so far we are on a very productive path and we plan to continue on that path by identifying pockets of excellence throughout government, academia, the research community and commercial industry to elaborate in depth on the various details of ACD. To make significant progress we must tackle many areas in parallel. The structure of the ACD reference architecture enables these discreet activities and provides the ability to integrate them into a cohesive whole.

ActiveCyber: What roles do the vendor and research communities play both now and in the future for the success of the Active Cyber Defense program?

Dukes: The government’s role has been one of a thought leader to identify operational needs, current solutions and solution gaps. Our current primary focus is to produce the organizing frameworks that integrates the many solutions necessary to operationalize ACD.

We also propose new interoperability standards to which industry will need to adhere to achieve ACD in operations. While we engage with industry to help identify, define and develop those interoperable standards industry’s primary role is to provide the predominance of ACD capabilities via COTS solutions.

The role of research has been on pilots and example implementations to provide the first steps toward integrating many previously disparate products into a cohesive workflow using orchestration. The vendor role is to provide COTS solutions, help refine the ACD frameworks and define the interoperability standards necessary to achieve ACD.

For example, in collaboration with the Defense Information Systems Agency (DISA) we identified solution gaps around mobility capabilities. Our government/contractor team in the Mobility Innovation Center (MIC) then developed a pilot for secure orchestration to provide automation for a mobility infrastructure.

ActiveCyber: DARPA recently announced the winner of its autonomous bug hunting contest. What role do autonomous endpoints play in Active Cyber Defense and how are you incorporating machine learning and artificial intelligence capabilities in the program?

Dukes: Autonomous endpoints are in keeping with the ACD design philosophy of having many tools doing what they do best – as long as they can communicate their findings to and receive direction from an orchestration engine for coordinated activity. Autonomy is good in so far as being adaptive and self-initiating; however, autonomy is not synonymous with anarchy, meaning each autonomous tool must still function as part of a larger collection of tools working together to sustain active cyber defense.

We feel the operational realization of artificial intelligence (AI) or machine learning in ACD is a long-term objective. However, the current ACD reference architecture accommodates the need for AI in the form of a joint cognitive system (JCS) that functions as a cognitive assistant to cybersecurity practitioners. The vision for AI is not so much as a proxy for human activity but rather as a supplement to human activity. The goal is to have human-machine interaction in cybersecurity operations become a symbiosis where both are better working in concert than separately. The goal is in keeping with Strategy 2: Develop Effective Methods for Human-AI Collaboration as expressed in The National Artificial Intelligence Research and Development Strategic Plan released from the Executive Office of the President in October 2016. One of our ACD team members published a conference paper at the INCOSE (International Council on Systems Engineering) International Symposium July 2015 on Adaptive Knowledge Encoding for Agile Cybersecurity Operations that lays the foundation for AI in ACD operations.

ActiveCyber: What types of data and interoperability standards are essential for the success of the program and what role is NSA playing in the development and acceptance of these standards?

Dukes: ACD is one of the first steps on the path to define and achieve the future vision of security automation and, as such, begins to address interoperability needs critical to achieve that vision. Our work on ACD introduced and elaborated on the need for secure orchestration which has evolved into a growing industry. We engaged industry to propose a command and control standard to achieve a common method for orchestrating cybersecurity workflows. This group has emerged as the Open C2 Forum (www.openc2.org) which to date has produced an Open C2 language description with the intent to enhance the description into an industry standard. While Open C2 has been chaired by government, industry, academia and vendor members have played a foundational role providing the subject matter expertise to produce the details to which they will voluntarily adhere in order to achieve standardized orchestration for ACD.

ActiveCyber: Some in the cybersecurity community feel that preventing breaches is impossible today and that the best we can do is respond to breaches quickly. Do you feel that real-time breach prevention is at a dead end? Are there specific types of advancements in the vendor or research communities that you feel could turn the tide in this area?

Dukes: Breach prevention is never at an end. Acknowledging that some criminals can get into your house is not justification to remove all the locks on doors and windows. Each safeguard has its role and limitations. Our job includes identifying those limitations and ensuring additional security measures are in place for defense in depth. By doing this we raise the cost to an adversary trying to breach our systems and force them to have to use zero-days against us versus known vulnerabilities and exploits.

That said, networks should always assume that a sophisticated adversary will eventually “get in” and are prepared to minimize the damage from a breach. We have activities in cyber security and resilience that address how best to fight through the attack. This acknowledges the presence of the advanced persistent threat (APT) and the need to continue successful network operations, knowing that an adversary currently resides on your network. Cyber resilience is a distinct effort that elaborates on one facet of ACD. Cyber resilience is closely akin to agile security that provides dynamic adaptation of the cybersecurity environment.

The International Council on Systems Engineering (INCOSE) produces systems engineering guidance to address the security of cyber-physical systems; e.g., Industrial Control Systems (ICS). Members of our ACD team collaborate with INCOSE and recently contributed an article – Architecting Composable Security to the INCOSE INSIGHT July 2016 issue which is dedicated to agile security and cyber resiliency. The article describes a vision of agile security in response to an adaptive adversary, again, with the intent to engage industry for operational realization of that vision.

Additionally, there is a DoD focus on better defining and categorizing threats with the intent to use the results to isolate those safeguards, current or needed, which are most effective and efficient in the face of a threat that continually resides on our network.

Thanks Curt. It really sounds like this collaboration on ACD between industry, government, and academia is taking off in practical ways to combat the ever-increasing cyber threat. I look forward to engaging in the sharing of knowledge and technology that is going on through Open C2, especially in the area of automated playbooks. I am sure that my readers will be paying special attention, (if they aren’t participating already) to the work produced through the NSA ACD program and the related initiatives. It will be interesting to watch the positive impacts this program has over time on our national cyber posture.

And thanks for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses. Also, email marketing@activecyber.net if you’re interested in interviewing or advertising with us at ActiveCyber.