Mitigating risk to DOD information networks by improving network security in third-party information networks

Abstract

Poorly defended third-party information networks can act as an attack vector for cyber attackers to successfully breach larger and more robustly defended information networks. Therefore, third-party networks connecting to Department of Defense (DOD) information networks may pose a significant risk to the DOD. The DOD has attempted to alleviate this risk to its networks by requiring covered defense contractors to meet certain network security standards and by initiating a cyber threat information sharing program: the DOD Defense Industrial Base (DIB) Cyber Security/Information Assurance (CS/IA) Program. However, these DOD actions are not aggressive enough to adequately mitigate this risk to DOD networks. To adequately address this problem, an expanded and more aggressive incentive-based program is required. Existing federal government, incentive-based programs were analyzed as potential exemplars from which to build a new incentive-based network security program. The Department of Homeland Security's (DHS's) Safety Act Program was ultimately chosen as the primary exemplar. Using this model, an Enhanced DOD CS/IA Program was designed to offer the DOD a system that can influence the improvement of third-party network security through a structure of synchronized network security controls and incentives. By implementing the proposed DOD Enhanced CS/IA Program to improve the network security of third-party networks that connect to DOD networks, the DOD can better mitigate the risk of cyber attacks to its own networks.