Dear DISA and DoD, Why Are We Not Making Better Use of our Certified Ethical Hackers?

This is an opinionated article written by Kurt Dunn, founder of American Certified Professionals.

September 27, 2024

In a recently published DISA article titled “DISA senior leaders highlight industry’s role in mission success at Federal Networks 2024” by Marco Villasana Jr., DISA leaders state that they strongly recognize the need to better protect against evolving cyber threats against mission-critical systems, but to do so, will require a multi-tiered approach from “industry partners.”

As the article mentions:

Brian Hermann, DISA Program Executive Office for Cyber director, highlighted the complexity of DISA’s cyber terrain and the need for industry to simplify operations and defenses while keeping up with evolving threats.

He states “We need to be able to respond in a timely manner, to attack and defend against [cyber threats],” Hermann said. “We will likely never achieve one single solution for the entire United States Department of Defense. So, understanding that challenge, how do the capabilities that you bring fit in to make operation and defense of our terrain simpler and faster?”

In recognizing the importance of protecting DISA's mission-critical systems from cyber threats, we have to ask ourselves, why are DoD Certified Ethical Hackers (CEHs) not being better utilized?

Couldn’t it be of significant value to have all of DoD's Certified Ethical Hackers brought together under one roof, to collectively review and discuss all current vulnerabilities across mission-critical systems, to then come up with a solution?

A collaborative cross-functional approach among the CEHs in different DoD domains could give a much more accurate and comprehensive overview of the DoD’s cyber posture, highlighting the past, present, and future threats and vulnerabilities that might be missed when evaluated in domain isolation, or through the lens of external agencies.

One would think it would be these individuals that can best highlight what needs to be improved across systems, what the vulnerabilities are, what some commonalities might be, and likely have the real answers as to how we can better position our defenses against mission-critical cyber threats.

Yes, I am suggesting there be an established DoD Certified Ethical Hacker Oversight Committee (all with Top Secret/SCI Full-Scope Polygraph clearances) who regularly - and collectively - train, audit, and run Red Team penetration exercises across all DoD systems, networks, and landscapes - checking for vulnerabilities, weaknesses, and areas where more robust, connected, and secure patches need to be made, modified, or improved.

While DISA and DoD do already employ Certified Ethical Hacker professionals to do penetration testing, vulnerability assessments, security audits, reporting, and incident response duties, they mostly focus in specific defense domains, and there currently is not a designated DoD Certified Ethical Hacker Oversight Committee where their combined domain system-focused expertise and cross-functional collaboration could have a significant and more timely impact in protecting against multi-system and multi-domain cyber threats across all DoD mission-critical defense systems.  

By pulling from their diverse Ethical Hacking domain focus areas, as it relates to the different mission-critical systems, software, and networks, they could assess vulnerabilities across all communications, satellite systems, and weapons systems (evaluating land, air, sea, and space asset vulnerability) – together, with collective input and oversight - offering a more holistic understanding on how to better defend against evolving cyber threats, and particularly those that target multiple attack vendors, simultaneously.

With this Committee in place, we could better evaluate the interdependencies of these systems and more accurately pinpoint where the exploit chains and vulnerabilities lie, with continuous monitoring, testing, and innovation, providing faster defense protocols.

Once the weaknesses and vulnerabilities are identified by this internal DoD “Top Gun,”  “Special Ops,” “Navy Seal-like” cyber team of Ethical Hackers, the work towards a true (and fully secure) solution can begin from within.

This dedicated DoD Ethical Hacker Oversight Committee could then be tasked with creating the long-term, interconnected security architecture solutions themselves, with trusted zero-trust models, working alongside the most talented DoD network, systems and software engineers and developers we have (who would also hold Top Secret/SCI with Full-Scope polygraph clearances) to build STRICTLY CLASSIFIED custom tools, scripts, and patches specifically designed to secure military systems.

In going this route, we not only have a more active military-tailored playbook and SOP, but we also strategically, and significantly, mitigate the risk of our newly implemented cyber defenses and protocols being exposed or leaked to the public, which would most certainly be the case if the awarded ‘industry partner,’ or ‘partners’ get hacked themselves, or worse, acquired down the road by potentially ‘bad actors’ with malicious intent.

How can we trust that we are truly implementing zero-trust models if external industry partners are contributing? How do we know those external contributors aren’t working out code in a notebook somewhere before implementing them in the mission-critical systems? Although we trust industry partners for many things when it comes to our nation’s defense, one would think the evolving cyber threats are simply too high and too severe to leave the door open to possibility.

Furthermore, what happens when the vendor(s) contract expires? Would a new vendor come along and now need access to those SOPs with defense mechanisms and protocols that were just put in place by the previous vendor(s) to make changes? Would you want to risk even a slight possibility where you would need to rely on an external partner for a piece of SOP that was missing at a critical moment, or anything at all to protect against an active threat? It’s a recipe for ongoing disaster, and should be considered as a last resort after more accurately defining the specifics of what is needed through the eyes and expertise of this Committee.

We should be wanting to do this internally where it is most secure and protected, and where our nation’s best and most trusted defense hackers, engineers, and developers can work together to continuously scale for integration and deployment against mission-critical cyber threats as they evolve in real-time – relying on no external partner, or entity, unless absolutely necessary.

By going in with that mindset, we can at least limit vendor reliance and dependence on select core components that are absolutely needed for one reason or another, with certainty.

CEHs are often on the cutting edge of understanding new attack vectors and methodologies. By forming this DoD-specific Hacker Oversight Committee - pulling our CEHs that are most experienced with the current systems - we can more effectively share threat intelligence gathered from ethical hacking exercises across the broader DoD community.

While individual domain-focused CEHs can uncover vulnerabilities and propose solutions, a collective approach would amplify the efforts, offering a more comprehensive view of the threat landscape. By working together, these CEHs can address not only immediate vulnerabilities, but also contribute to long-term strategic cybersecurity planning for the DoD leading to more resilient mission-critical systems. Through vulnerability identification, red teaming, cross-functional collaboration, and providing varied strategic insights, CEHs would significantly enhance the DoD's cyber defense capabilities in a more collective effort.

Written by Kurt Dunn | September 27, 2024

Founder of American Certified Professionals, LLC

LinkedIn

Email: kurt@clearedandcertifiedpros.com