"We have developed an agile and efficient process for delivering solutions that protect against the cyber insider threat," said Lt. Col. Richard Howard, the Materiel Solutions Analysis (MSA) chief.
Unlike other teams within the Special Programs Division, the MSA is the only one that functions outside the classified realm. The team's mission is to rapidly identify and test government and commercial off-the-shelf hardware and software, and if viable, transition it to the classified arena. However, combating the cyber insider threat on secure networks quickly became one of MSA's primary focuses.
In January 2014, the special programs unit stood up the MSA Lab, where the team tests and scrutinizes commercial and government technologies that could potentially function on a secure network, and at the same time, serve as a deterrent for insider attacks. The MSA Lab consists of three sections: Level 1, a robust unclassified area used to test incoming technologies; Level 2, which has the potential to perform classified tests; and Level 3, which is a virtual demonstration room. Since MSA's inception, they have fielded more than 100 proposals on insider threat mitigation technologies from commercial companies, both large and small.
"The MSA Lab is unique, and by design, highly specialized on the needs of a select classified community," said Paul Krueger, the MSA chief engineer. "Being co-located at Hanscom AFB with the Hanscom Collaboration and Innovation Center is important so that when necessary, we can take advantage of its infrastructure for massive joint and multi-nation coalition warfighting experiments and demonstrations."
Upon significant amounts of testing, the Air Force partnered with MIT Lincoln Laboratory and began to notice a common misconception within industry.
"We saw a disturbing trend emerging from companies—that there is a single solution fix to insider attacks," Howard said. "The cyber insider threat is complex, and to believe a single technology exists that will prevent malicious insiders from stealing, altering or destroying sensitive information is inaccurate."
To better understand and depict the intricacies of this problem, MSA engineers devised a model known as the Insider Threat Universe (ITU). The ITU concept is comprised of layers that convey how certain technologies protect in part -- but not in all -- the Air Force's secure networks. Confidentiality, integrity and availability make up the basis of the ITU with information serving as the core. Procedures, policies and monitoring are other items that directly impact information concerns. Specific areas such as data-at-rest encryption and role-based access controls represent technology layers also used to protect information. The MSA team realized the need to socialize the ITU concept and generate open communication among other Defense Department agencies also faced with growing insider threat problems.
Last month, the MSA office hosted the first Cyber Insider Threat Workshop. More than 100 cyber, security and acquisition professionals from more than 30 organizations attended. Representatives from the MSA office, Air Combat Command, Air Force Research Lab, 24th Air Force, Carnegie Mellon University, C3I Infrastructure Division, MIT Lincoln Laboratory and MITRE discussed current mitigation efforts and how they fit into the ITU model. According to MSA officials, there were two main takeaways from the event.
"The cyber insider threat is complicated, difficult to define and a challenge to defend against," Krueger said. "The ITU model is a useful tool that can be used to help define these threats, but it is a constantly evolving concept."
Krueger also called for more effective communication across the Air Force, government, and other agencies throughout the DOD.
"Communication is the only way synergy can be developed across the board," he said. "Making the community aware of currently used technologies, as well as equipment and software that's being tested and fielded by facilities like the MSA Lab, is critical to solving this problem."
Over the last year, the demand for MSA-vetted technologies has increased exponentially. In order to keep up with testing and analysis, the lab increased from two to seven engineers plus support from MIT Lincoln Laboratory, MITRE and various contractors. Recently, Maj. Gen. Craig Olson, the C3I and Networks Directorate program executive officer, presented MSA's areas of interest to industry during the annual 2015 New Horizons event in Newton, Massachusetts.
"Not only is this a great opportunity to bring our efforts to light outside of DOD agencies, but it will also allow us to gather valuable feedback on how our industry partners deal with insider cyber threats," Olson said.
Since the MSA team was created, they've stood up a testing lab, developed a threat model and organized a forum fostering dialogue among other DOD agencies—all in the name of cyber security.
"In order for us to successfully mitigate the cyber insider threat problem, organizations across the DOD must work together; technological, physical and administrative solutions should be leveraged across the DOD IT enterprise," said Col. Jeffrey Kligman, the Special Programs Division senior materiel leader. "Communication and innovation are key to securing our computing environment."