The author, Matt Szczurek, is a Solutions Engineer at SafeBase. Prior to this, he served in the Air Force for 13 years. The views expressed are those of the author and do not reflect the official policy or position of the US Air Force, Department of Defense, or the US Government.
Here at SafeBase, we understand that compliance is a crucial part of maintaining a strong security posture. This is reflected in our customers’ Trust Centers, their SOC 2 attestations, ISO certificates, standardized security questionnaires, and various other accreditations.
This is the industry standard. All evidence that these organizations have met their compliance requirements, have adhered to various security frameworks, followed security controls, and implemented policies to the best of their abilities.
The assumption is that cybersecurity is a matter of maintaining compliance with standards set forth by governing bodies like NIST, AICPA, CSA, ISO, etc., and by implementing these requirements, organizations can be assured that they have a hardened security posture that safeguards them against threats and provides insulation against risk. Sadly, compliance is only a part of the equation.
A quick search will show that there are countless articles about organizations that consider meeting compliance requirements as, “good enough."
In a recent article by Arctic Wolf, titled: “The Current State of Cybersecurity Compliance”:
“...Too many organizations follow their compliance requirements solely due to the legal obligation to do so, without a clear understanding of what these requirements help organizations achieve regarding cybersecurity.
Even more shocking, however, is a large number of organizations we uncovered that don’t even know why they follow their current cybersecurity standards. Our research found that many of these organizations follow their established standards with a “business as usual” mindset — where their security program is designed to meet the established requirements simply because that’s the way they’ve always done it. As the cybersecurity landscape evolves, these organizations are setting themselves up for future security failures.”
What's the Solution?
We must add a few extra values to create an adequate solution. This comes in the form of “Cyber Readiness”. Cyber readiness is a combination of compliance, developing a security mindset, and maintaining a proactive attitude that permeates an organization's culture and operations.
It promotes awareness, resilience, and bolsters the ability to prevent, detect, respond to, and recover from cybersecurity threats and incidents. It Involves having the necessary technology, processes, policies, and training in place to protect against cyber attacks, as well as the ability to quickly and effectively respond to any incidents that do occur.
Cyber readiness creates a culture of collaboration and communication, removing the responsibility of “Cybersecurity” from just the IT department or a single individual within an organization.
It is a collective effort that requires input and participation from all employees and stakeholders. When everyone understands the importance of cybersecurity, they are more likely to work together to identify potential threats and develop effective mitigation strategies.
Aaron Weiss, the Chief Information Officer for the Department of the Navy said at the 2022 Cloudera government forum,
“We believe that rather than compliance, a better model for cybersecurity is something that’s close to the military. It is a model rooted in readiness,” he said. “Readiness is something that is a dynamic model. As a commanding officer, you would exist every day on some continuum of readiness. It’s measured very holistically … It’s not a one-and-done. A CO does not say, ‘I have now achieved readiness, done, and I’m good for three years.’ That concept of one-and-done has to go away.”
My Experience with the USAF
One might not be surprised that, like the US Navy, the United States Air Force has experienced similar pains. How does the United States Air Force (USAF), the tip of the spear on the front lines of the cyberspace battlefield, deal with “Cyber Readiness”?
The USAF is responsible for maintaining the air, space, and cyberspace domains of the United States military. To ensure its readiness against cyber threats, it has established robust cybersecurity protocols, including a strong focus on cyber readiness and security compliance.
Before I put on the hat of a Solutions Engineer here at SafeBase, I spent thirteen years enlisted in the USAF. It was an incredibly challenging and rewarding experience that allowed me to develop my skills as a cybersecurity professional and serve my country in a unique way.
I was constantly learning and growing, both personally and professionally, as I worked alongside some of the most talented individuals i’ve ever met. From Communications Security (COMSEC) for the Joint Surveillance Target Attack Radar System or “Joint-STARS”, to Defensive Cyber Operations (DCO) for the National Air and Space Intelligence Center, or NASIC.
Though the name might not be as illustrious, the position that is most dear to my heart, occurred in the middle of my military career and makes up the bulk of my experience in the USAF, was with the 561st Network Operations Squadron, Detachment 2, as a member of the USAFs “Cyber Readiness Team”.
The USAF Cyber Readiness Team
Based out of Randolph Air Force Base, headquarters of the Air Force’s Air Education and Training Command (AETC), we were a small group of military and defense contractors, providing enterprise services for eleven training installations. We were responsible for a network that included thousands of military personnel, and three or four times as many network assets. Daily tasks included but were not limited to, vulnerability management, network operations, email exchange, and directory services.
When the time came, our team did extremely well on our first CCRI. Someone from leadership-on-high caught wind of our success and asked the question, “Why can’t they do this for the rest of the Air Force?”
Whoa, whoa, full stop. What was that random acronym “CCRI” I just threw out? I know, the military.
A “Command Cyber Readiness Inspection” (CCRI), is a triennial inspection that is conducted by the Defense Information Systems Agency (DISA). It focused on evaluating an organization’s compliance with Department of Defense (DoD) security orders and directives and assessing network vulnerabilities, physical and traditional security, and user education and awareness.
Failing this inspection, or being found “Non-Compliant”, is considered a massive failure of cyber-security protocol. It causes significant damage to the reputation of the organization and highlights the lack of adherence to the Air Force’s high standards when it comes to cyber security.
A failure puts the organization under the strongest of microscopes and they are given six months to prepare for a re-inspection. Unless found “Compliant”, they face the possibility of having their entire network quarantined from the enterprise.
We were given new orders, and the concept was simple, “Be subject matter experts, with authority provided by the highest echelons of Air Force Cyber leadership, and help Air Force organizations to pass a CCRI.”
They labeled us, “The CCRI Preparation Team”.
The CCRI Preparation Team
Looking back on it, knowing what I know now, the scope of this was massive.
To describe this in a nutshell, the Air Force divides the responsibilities for its global enterprise network geographically between network operations centers. There are 57 active bases in the contiguous United States belonging to two centers, East and West. The Pacific region has 9, Europe/Africa, 7, as well as many other separate units, installations, and deployed locations around the world.
To make things even more interesting, we were working with multiple sites at a time, their leadership, security teams, and network engineers, acting as a liaison to the representatives from the network operations centers that ran the Air Force enterprise network, and working with representatives from Air Force Cyber to ensure Air Force locations were prepared for their CCRI.
Some of these locations’ sizes ranged from small teams, to network footprints the size of a city, with hundreds of thousands of assets and other moving parts.
Also remember, these sites included unclassified and classified networks, medical units, hospitals, weather radar, launch sites for satellite and rocket systems, and other highly specialized systems.
Holding Hands and Fixing Vulnerabilities
We followed a template when engaging with different sites and things generally went smoothly, generally…
- Around four months out, we began scheduling weekly meetings
- Gained a baseline of their compliance posture by running weekly vulnerability scans on their entire network space.
- Had priority in line with tier-1 tickets for the network operations centers, so we could triage and work through important issues that had been previously queued
- Guided their teams through the latest processes and procedures.
- Once our team finished our preparation measures, and both our team and theirs were comfortable, we’d hand everything back to them around a month prior to their CCRI and hope for the best.
In most cases, it simply worked. Of course, it was an unbelievably busy time and depending on which site it was, we really cut it down to the wire. A good example of “The Wire”?
Thule Air Base, Greenland: We discovered that they had a bandwidth allocation with a data cap and we couldn't risk interrupting missions by using it up with scanning and patching procedures. The solution? Download, basically an entire copy of Windows update to an external hard drive, and fly it out to the site. Easier said than done for a location that is about 900 miles (1524km) from the north pole.
We fixed their broken processes, scanned their networks for weak points, and fixed tens of thousands (sometimes hundreds of thousands) of vulnerabilities, usually by improving their patching systems and endpoint security software, and kept personnel updated on what their responsibilities were. When there are hundreds of people “In charge”, making policies, more often than not, simply pointing someone in the right direction for official guidance or the correct policy made the world of difference.
We, as the experts, held their hands until their security posture was in tip-top shape and our hard work paid off, and we were achieving a passing “Compliant” outcome with more than 95% of the teams we worked with.
We did this over and over again for years, and eventually, we started to see familiar locations show up for their next scheduled inspection.
This was a turning point. We expected the upcoming CCRIs to be a breeze, considering how much effort we put into the previous one. The inspectors would be able to come in, see that the sites were still operating in optional shape, and leave with quickness.
We were quite wrong.
A good portion of the sites that we had helped, which by all accounts, were running well-oiled cyber security machines when we left them, were back in the exact same position, many of them worse. The consensus was, they had passed the CCRI, and that was all that mattered. After the inspection, they went right back to doing things (or not doing things) as they were before.
There were countless meetings with Air Force leadership as to why this was happening, whole programs were stood up to comb through archived data, and interviews with my team to get first-hand accounts of what we were doing, etc.
We weren’t identifying and fixing the root of the problems.
That doesn't say that there weren’t a million valid excuses: bureaucracy, high turnover rates, constant policy changes, improper training, user admin rights, reprioritization of duties from leadership, and the list goes on and on…
- “I have a mission to do, why would I click on an update notification to restart my system?”
- “My mission is to fly airplanes, not making sure computers are patched.”
- “We don’t have enough manning, our teams have more important things to worry about”
- “The network operations center took our domain admin rights, so we can’t fix things ourselves”
- “We don’t know who these systems belong to, so we can’t patch them”
- “Of course, we didn’t fix it, isn’t that your responsibility?”
- “No one ever told us this was the latest guidance, why didn’t we know about it if it was so important”
After hundreds of hours of working to identify the pain points, we boiled them down to two things and stuck with making them the headline in the push for change.
“Develop a cyber security culture” and “With compliance as a baseline, push the importance of cyber readiness”
A New Era of Cyber Readiness
There was a massive overhaul of our program, and we rebranded our “CCRI Preparation Team” to the “USAF Cyber Readiness Team", with a new unofficial motto, "If you always stayed ready, you didn't have to get ready"
Things started to move fast and for the better, breaking things down into what you could consider “Core Values” for the Air Force network operations. These are the things that we helped teams achieve, rather than fixing things for them.
Have a solid backbone
For cyber security programs, build repeatable processes that are set in stone, with clearly defined roles and responsibilities. This included identifying exactly who was responsible for each initiative, there is no longer a huge lift to find out who owns an asset or who is in charge of a specific area of concern.
Stay Cyber Resilient
New teams were established to find novel ways to keep end users and admins up to date with the latest policies, industry news, and recent initiatives from the leadership at US Cyber Command. Internal repositories for policy and directives were created, new automated software was tested and deployed at the same time that old, unsupported systems were removed from the network.
Go above and beyond the bare minimum
We essentially completely removed “What is required to pass a CCRI” from our vocabulary.
We started to maintain transparency from the bottom to the top and built trusted relationships with the sites, all the way up to the top of US Cyber Command. This spurred an initiative for the allocation of additional manning, funds for new training, new certification programs, new software, etc.
I’d like to say it ushered in a new era of “Cyber Readiness” and a security-minded culture for the Air Force’s enterprise network.
I can only hope that it remains today.
Cyber Readiness is Key
If you made it this far into this article, I’m sure you can see the similarities between the United States Air Force, and how a large company operates.
The biggest thing I want the reader to take away is:
Cyberspace IS a battlefield. Businesses, military installations, state governments, schools, hospitals, etc. are being attacked hundreds of thousands of times each day across America.
They’re looking for weaknesses they can exploit to do severe damage to America as a whole. A bad actor stealing information from a multi-billion dollar corporation is just as bad as stealing national secrets. Infiltrating a company’s network, taking their IP / Money / Trade secrets, and possibly putting a multitude of employees out of work is just as bad as getting your hands on classified documents or crippling a government’s infrastructure.
Cyber Readiness is key.
If you value your information, protect it. Make your network like a vault. Lock it down, and establish repeatable cyber security processes that will keep it secure. Give your leaders, managers, and administrators, the authority to do their job by making it a top priority while educating your workforce.
Every employee should know what it means to be cyber-ready, the force multiplier for security.