Regionalization of Cyber Security Defense

My Experience as Regional Cyber Security Chief for the US Army Regional Network Center

By Gary Trautmann, Senior Cyber Security Advisor to Mongolian Armed Forces Cyber Command, Sincerus Global

What is regionalization and/or centralizing efforts? This is an initiative that brings assets into a unique location to enhance oversight and control of efforts. In cyber security, it is an effort to provide better security and reduce the possible ‘weak’ links in the chain that could provide a vulnerability for exploitation.

When I was hired in 2022 as the Chief of Cyber Security for the Northeast Regional Network Center (RNEC) for the US Army, there were 7 disparate network enterprise centers in the region. These centers all governed their individual networks (systems, infrastructure, and endpoints), ensuring proper cyber defenses were in place. These centers were autonomous in their scanning, patching, software updates, new software deployment, testing software, obtaining authorizations to operate, and ensuring NIST controls were satisfied. At times, not all defenses were coordinated across the region, thus providing a ‘hole’ in the overall defense of the Army network. It was decided that regionalization was needed to ensure there was a unified effort to secure the Army networks and protect the critical data. The network was already operating in a single virtual routing network, so the next step was directing cyber security operations at the regional level. I directed my senior technical expert to devise a strategy to unify the efforts into a single technical solution. The solution was labeled “cyber as a service” (CaaS), as the cyber security services will be offered to the individual networks from the regional headquarters.

The results of the regionalization were a tremendous success, a more secure enterprise and better protection of the critical data. Actions are unified on both the unclassified and classified networks.

The policy to direct actions at each center was in place but not always followed. Therefore, I decided to take the decision away from the local centers and enforce the policies centrally. To enforce the policy, we needed to have the technical capability to conduct the basic mission. In conjunction with the network and enterprise services divisions, we placed all the local centers into a single ‘domain.’ This move allowed my division to do the vulnerability scanning from the regional center and enforce any quarantine actions. For many of the vulnerabilities, the regional office would ‘push’ out the patches as needed, but a local solution was required for some endpoints. The customer was referred to the local center for resolution for the endpoints, usually workstations. This ensured that accountability was held at the local level for the affected customer.

All routine security updates to the software required testing to ensure that no other system on the network was affected. With each center responsible for its own testing, not all updates were applied uniformly. Thus, the regional center centralized all testing, and some centers did not see this as a high priority and would lag the other centers.

The administrative portion of maintaining the authorization to operate (ATO) the networks was another aspect of defense. Prior to regionalization, each center was responsible for testing and validating the NIST controls, which were functioning as expected to protect from incursion. This was a huge drain on the workforce and a duplication of efforts. My division personnel consolidated the 8 ATOs into a single ATO for each network (classified and unclassified). This effort reduced duplication from maintaining controls to maintaining policy revisions. Now, the regional division can author those documents, and they are applied to all systems in the region, leaving only one document to update versus 8 documents.

The results of the regionalization were a tremendous success, a more secure enterprise and better protection of the critical data. Actions are unified on both the unclassified and classified networks. Now, weekly vulnerability scanning is conducted at a single point and all quarantine actions are directed from the region. By conducting centralized testing, we ensured that updates were applied across the enterprise coordinated and all endpoints were patched. This standard was also applied for any new software added to the baseline, all workstations were installed on the same timeline minimizing any lagging vulnerability. Another benefit of regionalization is personnel cost savings. Each network center can reduce staffing or reallocate the position to shore up other areas in the center.

Administrative actions higher up in the chain of command are reduced. Instead of reviewing 8 different authorizations to operate packages, only one is needed per classification level. Regionalization eliminated the requirement to have individual packages; it truly became one enterprise network. The work done in the Northeast could be rolled up into other regions throughout the Army and duplicated across the entire Army domain.

The regionalization effort was not an easy effort. The technical aspect was done without hiccups, but the administrative portion had several roadblocks. The most contentious one was that personnel were afraid that their positions would be eliminated, that perception had to be overcome. I accomplished that by having regional discussions with personnel to make sure they are all part of a team; local personnel are still required for the outlying ‘touch’ maintenance. Making the individuals at the local centers realize that they are part of the regional team, especially on the administrative portion of cyber defense. Even though we had compressed the 8 ATOs into one, each local center was still responsible for a portion of that ATO and ensuring compliance. Overall, it was a technical and personnel success. Bringing all members across the region into a single virtual team to defend the Army networks showed that centralized control with decentralized team aspects is an outstanding structure for the future.