Dr. Ray A. Letteer is the Deputy Branch Head, Compliance Branch, Cybersecurity Section of the Command, Control, Communications, and Computer (C4) Division for the Deputy Commandant for Information at Headquarters, U.S. Marine Corps. As such, he oversees all efforts within the Marine Corps for Cybersecurity (CY) which includes DoDIN Operations protection and defense, Defensive Cyber Operations (DCO), Public Key Infrastructure (PKI), Key Management Infrastructure (KMI), and the Risk Management Framework (RMF). He is responsible for the overall creation, promulgation, execution and oversight of the Marine Corps Cybersecurity program.
Dr. Letteer serves as the appointed Approving Official (AO) for the Marine Corps Enterprise Network (MCEN), which includes all networks and networked systems whether in garrison or tactically deployed. He is also the Functional Area Manager (FAM) for Marine Corps KMI/PKI issues and for Smart Card/Common Access Cards.
The Cybersecurity Section’s mission is to provide policies, procedures, governance, and oversight to prevent damage to and ensure the protection and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communications, including the information contained therein.
CHIPS senior editor Sharon Anderson asked Dr. Letteer to discuss his top priorities for Marine Corps cybersecurity in early May and July.
CHIPS: The Marine Corps is transitioning to the Risk Management Framework (RMF) to secure its networks and platforms. How is the transition progressing?
Dr. Letteer: The Marine Corps is doing quite well on this. We made the determination a little over three years ago when the direction was to start moving from DIACAP (DoD Information Assurance Certification and Accreditation Process) to RMF. Fundamentally, it’s not really significantly different. A process review for authorization approvals for connection derives from documentation from the 1980s. There are documentation shifts, certain metrics and compliance items one has to have. In 2016, we made the determination and put it in a message for the Marine Corps: that all systems under DIACAP would need more approvals—re-accreditation and extensions had a specific window from 1 – 20 December, 2016, after that approvals ceased.
The RMF is the only approved process, and in partnership with MARFORCYBER, the enforcement of this transition has worked. Non-compliance with the RMF risks issuance of a DATO (Disapproval of Authority to Operate) and DATC (Disapproval to Connect). The RMF transition kept some of the reciprocity systems one has to take from the other Services that may not have been as aggressive in this, Army, Air Force, etc., in which case we started doing our reciprocity memo to have on file to show that we had evaluated them from an RMF framework.
There is still a couple of ones that are not ours, but the Marine Corps has been totally transitioned to RMF for quite some time.
CHIPS: A few years ago when I interviewed Mr. Ken Bible, he talked about the Marine Corps working toward a seamless Marine Corps Enterprise Network that can support Marines from the fighting hole at the edge — back to the garrison. Can you talk about MCEN unification?
Dr. Letteer: The approach is, as Mr. Bible did talk about, the network construct and services go from the flagpole to the fighting hole—as you alluded—a distributed system—MCEN. We are making pretty excellent progress on this. I just had a discussion last week with III MEF on their tactical implementation so while we have a garrison construct, as we all know under the NGEN contract, we now find that III MEF is extending those same resources out to their tactical constructs. No more is there special tactical network identifiers or domains as such.
1st MARDIV just came and did a briefing on exercises they did locally (Camp Pendleton) in California. They too are starting to make the transition to drawing email services and other services directly from MCEN itself and not having to create and stand up their own little email exchange which creates a disparate connection.
We’re looking at the construct of how we can create cloud services into that environment. We’re looking at what tools and capabilities can we do to allow a portable cloud construct so they can download things from the local CDC. So if they have to deploy, they have the benefits of a local cloud platform that they can periodically update and refresh as practically as connections allow.
So I’m pretty excited to see it and it helps me from a security perspective because once I have accredited a capability, I don’t have to do ‘yet another accreditation’— a ‘YAA’ —another approval for a capability when you want to deploy it. It’s already approved under a particular construct, particular design in your defined rearmament and if you are just moving, say a CAC2S, Combined Air Command and Control System, it’s already been approved and I’m moving it to this location to continue to draw resources and information and support from—it’s already approved. No more is this re-credit every time you turn on a light or move to a new location.
CHIPS: Would you define CDC?
Dr. Letteer: It’s the core data center construct, the DoD construct for domain and data consolidation, the authoritative consolidated data center, which for us presently is Kansas City.
CHIPS: Do you mean MCEITS—Marine Corps Enterprise Information Technology Services?
Dr. Letteer: MCEITS is one of our many services within our Kansas City IT Center.
CHIPS: One of the Commandant’s priorities is improving command and control. How does the Cybersecurity Division assist with advancing C2 for tactically deployed Marines?
Dr. Letteer: If you remember people like to throw around this aspect of cyber. Cyber is no more than the connections, communications and cognizance. For connections—is it fiber, is it Ethernet, is it a waveform, is the communication in 0s and 1s, is it pulses of light? The cognizance part, that’s the part where I am applying intelligence and knowledge to what type of data I am passing on in this environment. This applies to us in the C2 approach. If I am going to help ensure command and control for Marines they have to have assured ability to be able to do so. How can we find ways to lighten the load with smaller waveforms, for example, less components, but assure from the cybersecurity portion, what is safe, secure, repeatable, protected, and we are finding innovative ways to do this?
Our whole philosophy to help the Commandant meet his mission and to meet our Marine Corps goal is to find a way to say yes and not no. We don’t want to be stupid and let’s not go crazy, but let’s find a way to say yes. Let’s be innovative to make sure that what you pick [for C2] is protected and because that capability whether it’s a handheld, whether it’s a laptop, whether it’s a waveform or connecting to an airframe, we have the protections there to make sure that we have command and control implemented.
CHIPS: Can you talk about some of your challenges and top priorities?
Dr. Letteer: Sure. Our challenge is always to assure we have a common understanding and lexicon. I think the DoD overall has significant challenges as we all have a lot of people whose roles and responsibilities sometimes overlap. We are wading through this to come to some commonality and understanding. We work our challenges through a DoD enterprise body, the Defense Security/Cybersecurity Authorization Working Group (DSAWG) for DoD and Intel groups. That is the governance body that looks at risk from a technical perspective in support of the Information Security Risk Management Committee (ISRMC), which evaluates risk for the entire DoD from a strategic perspective. The ISRMC has participation from all of the Services, DoD organizations, Intelligence Community, and Combatant Commands. We have been able to harmonize a little bit more, to kind of get through some of these challenges as to how we harmonize our protocols so we don’t have to repeat certain actions for Approval to Operate decisions.
My top priority is to make sure I understand my battlespace. I need to make sure that my bosses, Brigadier General Mahlock, Lieutenant General Reynolds (Deputy Commandant for Information), and ultimately for the Commandant, and we know where our common battlespace is, our cyber/IT common constructs throughout the Marine Corps because that is the backbone, the information highway that helps us assure we are doing C2.
You know that DoD has been pushing us for visibility. One of my top priorities has been to try to press, what has been called the ‘Comply-to-Connect’ program, to have the ability to see everything down to the end user device, to the printers, to our operational technology environment, which includes ICS (Industrial Control Systems) and SCADA (Supervisory Control and Data Acquisition) for remote monitoring, the BLII (Base Level Information Infrastructure), and other base interface systems, so that the base commanders can see everything that is going on; our regional commanders can see everything that is going on and roll it up to appropriate leadership. If one is able to see, then one is able to manage and be more accurate in defense.
Comply-to-Connect functions, and other end-point visibility and management capabilities, strategies, and tools, must be part of the education of our workforce in order to enhance our ability to maintain the defense of our network. That’s another real big one… People throw up their arms and say our people are trained well enough. I think there is legitimacy in that to a point. I think we need to define to train to what, and how do we do it and give people the time to be able do the training cycles. I am trying to find ways for an environment for the workforce to train on their own.
I’m working with the manpower folks and our workforce managers on where we can set the standards, and be able to say use some of the capabilities, like Cybrary, Udemy, FedVTE, our own Cyber Training and Evaluation Platform (CTEP) in the DoD Cybersecurity Range/Marine Corps Cyber Range, and others, to say, ‘These are some of the things you can do on your own; make some time for it so you can actually raise your skillset.’
As I mentioned earlier, I continually work to help people understand the importance of following the Risk Management Framework to provide evidence they have implemented controls and protections to gain the Authorization to Operate or Connect. Essentially, it is an engineering design effort done up front; to also ensure we have pre-approved environments, inherited security controls, standard implementations for re-use, and a consistent view of the operational environment to help speed up innovation and services implementation.
CHIPS: At an AFCEA event in February, you talked about how the Corps is examining the cybersecurity implications of quantum computing, blockchain, and cloud technologies. Do you view these technologies as challenges or opportunities? You did say the Marine Corps is using cloud?
Dr. Letteer: Yes, we are. With quantum computing there are opportunities, but there are challenges as well because adversaries can use quantum computing. We have to have systems that are more robust with encryption and over development make sure that we have appropriately strengthened them with resilient capabilities. But at the same time, there may be some things we can do as well for validating or using it in our environments for lessons learned or for defining aspects of quantum computing itself.
Blockchain has always been an interesting approach. Some people are very adamant for it. I’m kind of in the middle. There are some aspects of blockchain that could really help us in cloud. I do trust and have a confidence in a lot of the services cloud can provide us, there is still the old aspect that I learned when I was in Berlin and President Reagan said, ‘Trust, but verify.’
One can take aspects of blockchain into the cloud to make sure that if things have been changed, one knows it. It gives you a precursor of problems. Finance and business organizations in the Department of the Navy could probably learn some useful things about blockchain that could help them.
Cloud is an interesting conundrum, and I’m sure you have heard this before, cloud is nothing more than somebody else’s computer, in somebody else’s building, with somebody else’s connections. Technically, they are kind of right. But there are some benefits of scale and service provisioning that can be done at a much better rate and much more efficiently than maybe the Navy and Marine Corps can do.
So there are some things I do like in cloud but I want to make sure that whatever we have in cloud still has an overview of security. There are those who say trust them, ‘Amazon has been doing this for years, Google has been doing this for years, Microsoft, etc.’ I get it, but at some point I have to take a look at maybe their return on investment is making decisions along cost factors while I have to look at how risk has an operational impact. So I want to have some insight. I have to make sure that whatever we do is properly managed, controlled and has visibility to our Cyber Security Support Provider (CSSP), which is the Marine Corps Cyber Operations Group, the MCCOG, at Quantico. In particular, I want to better understand how one can validate the security configurations of an AWS S3 container. If that is the repository for Marine Corps information in the AWS cloud – one of the current options – then I need to be sure we don’t have problems with configurations similar to what I’ve read in the press that other commercial entities have had.
So we are finding things. I just did an authorization for an approval for the Marine Corps Business Operations Support System, MCBOSS, which is like a business applications foundry environment where we can do a DevSecOps approach as we build this application in a cloud construct, and at the end of development it will drop in ready to operate on an approved system without needing other approvals, just as I described earlier. Basically, it’s a Marine Corps approved process in a very consistent agile manner.
CHIPS: It really comes down to a shared risk model between the vendor and the government.
Dr. Letteer: You’re right, it is a shared model and an approach where we both need to understand where the apportioned parts and views of the risk are. I will look at risk for a business system or an operational mission system on the confidentiality, integrity and availability model. I will look at operational technology risk, such as Facility Related Control Systems or weapons systems on an availability, integrity, confidentiality model. I expect my acquisition communities to look at risk through cost, schedule and performance. We have to make sure we balance so that those latter risk measures don’t adversely affect the former two that I am primarily concerned with. But I think we can find ways to do it well. We just have to be clear on what we want and how we want to do it.
The question I would say in cloud computing, and I’m not a lawyer, is once we are clear regarding our security requirements, it is heavily dependent that we make sure that we have very clear contract language to outline what is expected, what we can hold people accountable for, and what we expect and put upon ourselves for whatever type of services we must have.
CHIPS: You have talked about the Comply-to-Connect approach that enables better transparency for Marine Corps networks. Do you have anything else to add?
Dr. Letteer: We are trying to get more traction on that, but just imagine the ability for someone at your Cyber Security Support Provider (CSSP) to be able to look up and see, as we saw at Camp Lejeune, someone trying to attach the Linksys wireless router onto this switch, so they can manage the HVAC from the commercial side. You can see it pop up when it happens, not discovered after the fact. Because of this that means that things, like the Command Cyber Operational Readiness Inspections, that we are all doing, will help us be more ready, more mature and then our status and readiness will be seen at the consistency of the required protection profiles. Then we shouldn’t be surprised when a Command Cyber Operational Readiness Inspection team comes in and they scan the network… They see the same thing. We already know it. No more surprises.
We aren’t as fully implemented as I would like, it takes time. I am frustrated because, as you know in the government environment, it takes time to move things along in contractor constructs. But we have a wonderful percentage on our NIPR environment, a very high level of visibility both with a layer two tool and a level three application. I’m not going to call out any specific brand names since it would be inappropriate; but I am very excited about the progress and the very real potential. If we just could get some of these things to go a little bit faster it would be wonderful for the Marine Corps, and for the Department of Defense overall, to have that level of oversight and organizational management that they want.
CHIPS: One of the findings of SECNAV’s Cybersecurity Readiness Reviewis that cybersecurity training for IT users in the department is inadequate. Do you have any ideas about improving user training and is insider threat and misconduct on the network a concern for you?
Dr. Letteer: Oh, yeah, it’s interesting because we took a look on what we had on that Cybersecurity Readiness Review and it pointed out for us some things that really were aspects of culture, people, governance, processes, resources. One of the things it said in that publication is that we as the Department of the Navy have to be not so focused on the material constructs of the ships… or the canons constructs. We have to start recognizing that a lot of this is dependent on the cyber information environment that we have to have. We agree with that. We are working pretty closely with [OPNAV] N2N6, and both Brig. Gen. Mahlock and Lt. Gen. Reynolds are actively engaged. We are moving on these areas; we have 15 specific task areas that we are looking at.
And you are right, the ‘people’ area was brought out in the report so we need to improve the cyber workforce training, as I mentioned earlier. For this, how do we identify getting the roles under the NIST Cybersecurity Workforce [Framework] that we are working to identify, in this particular role in this environment, what particular training do I need to support and sustain me?
We used to have, a long time ago, the ability to provide for certain information system security officer/information system security manager qualifications because the DoD paid for some, because it’s codified as part of the 8570. Now, the 8140 [Developing A Professional Cyber Workforce] is to replace the 8570. But we have found that certifications, while they are really good to validate you, provide some level of evidence… that you say you know what you’re supposed to know… There is still a gap where a qualifications portion existed that we need to expand upon.
So how can we improve these training environments to make sure people get the opportunity to train because once one gets into the working environment, as you can appreciate, the operational tempo kind of keeps you going on the day-to-day [tasks]. How can I find ways to say here is a training opportunity. As I mentioned before, there are things they are always looking at with the Federal Virtual Training Environment (FedVTE), and others.
Brig. Gen. Mahlock has established requirements for us within C4 to have resilience in our skillsets, so we have to identify two things for training we plan to do for the year. As a supervisor, I have to make sure that my people identify quality training that gives them the ability to move up. We are trying to explore new ways to do things. The Marine Corps has the Cyber Training and Evaluation Platform (CTEP), part of the DoD Cybersecurity Range/Marine Corps Cyber Range. This is a robust cybersecurity training and exercise platform, where one can go learn and refresh oneself on access controls lists, how to do firewalls, how to build a network, some fundamental aspects that help people move on.
But we have to change the culture in the Department of the Navy that it is expected for you to go do this. We have so many great people, civilian heroes, that sacrifice their time, that work long hours, sometimes when they don’t have to, and they don’t take the time to do their training. So we have to find a way to help them. Part of this is maybe take a look at our work cycle approaches. If people are so overworked that they don’t have time for training, we have to look at ways to harmonize the workload so they have opportunities. It’s important for us. All the cyber we have is irrelevant unless you have people as part of it. If you don’t have trained people, you are not going to be very successful.
CHIPS: According to the Review, SECNAV is reviewing “how to better organize the department to address the overall challenges of information management; to include not only cybersecurity, but also data strategy and readiness, business system rationalization, and artificial intelligence.” You talked about the need for a DoD data strategy and standardization. Has the Marine Corps made any ground on this?
Dr. Letteer: Yes. Good point. I have to give kudos to Rear Admiral Barrett (OPNAV N2N6G Cybersecurity Director), and others, because they have done some really groundbreaking work on that approach. Unlike in academia, plagiarism is a sincere form of flattery. We are looking at some of the things that Admiral Barrett’s group defined and that is done by another Division and individual that is focused on that.
From a cybersecurity perspective, we appreciate and rely upon data strategy elements because if you, for example, as a particular information system owner — say you are in business or finance — for me to protect your information, you have to tell me the data elements, the data sensitivity, what are the roles one has to have to allow access to it. I have to know your organization and maybe federal law to know the federal requirements for how to protect your data. It gives me enough specificity for the cybersecurity perspective.
There are aspects, as I said before, to harmonize what we need to do to make sure we work at a better aspect of process and posture to make sure in our organization the alignments of authority are there, there is accountability and responsibility, that we can draw best practices from industry and government, and do what federal law tells us to do. As I said, there are 15 major areas that we in the Marine Corps are targeting, as part of the overall DON effort, with metrics to make sure there is improvement in what the report recommends that we do.
Artificial intelligence — I had two briefings on it this past week. One is coming from an Intel environment which is very interesting and very mature. Another was from our Manpower and Reserve Affairs and we recently had a third capability presented from the Marine Corps Installations Command, which also would use AI. We are starting to evaluate the quality of the code and learning algorithms development to ensure we get the proper tenets for the Marine Corps to understand what those data elements and constructs are so we can know how we protect the data, the information, in such a way that we have consistency in this exciting new thing.
Interestingly enough, everybody is saying artificial intelligence is wonderfully new — and while it poses some interesting questions for development and use in the future — it is still software. It’s still a fundamental aspect of how we have always managed and controlled those 0s and 1s to take advantage and move us forward. It’s going to be exciting times for us.
CHIPS: Is there anything else you would like to discuss?
Dr. Letteer: I just want the world to know that everyone in the Department of Navy, and particularly, the Marine Corps, really takes our responsibility for protecting government information, government data and systems, very seriously. Sometimes, we may appear to be a little bit slower, a little bit more cautious, a little bit more closed on things and that’s because we want to be sure. But we are finding ways we can have areas of trust in standards we can validate, and if we find those things we can move faster on, we definitely will.
The Air Force also has what they call their Fast Track ATO. I would just like the world to know that we actually implemented things like that in 2011, in a project we called ‘C&A in a Day.’ A bit of a cheesy bumper sticker, but the approach was taking an extraordinarily complex system and massively looking at it in the DoD Cybersecurity Range/Marine Corps Cyber Range from the realistic tier one implementation of the DoDIN (Department of Defense Information Network) construct all the way to the tier three at the base or local level and hitting it with Red Team and White Team penetration actions all at once to see how resilient it is. So that instead of taking eight, 12, 14 months for a traditional accreditation of a complex system, we showed we could do it in two weeks.
We still have that construct available. Now are people using it? Not that much. But the combination of what we have done with MCBOSS to approve the DevSecOps construct [shows] we are moving to the future. I predict that by August of this year, the Marine Corps is going to have just as fast and just as resilient of an RMF framework process as our brothers and sisters in the other Armed Services because it’s essentially an engineering process.
If we do the engineering rigor up front, that helps our acquisition community, that helps our warfighting community, our business communities know what we need to do up front, and as long as they maintain and stay with their particular constructs, the left, right lateral limits, as you were, they can go ahead and do their changes and adjustments without having to ask, ‘Mother, may I.’
CHIPS: You know you have laid down the gauntlet.
Dr. Letteer: I know I did. Everybody is talking about Rear Admiral Barrett, and I’m glad that she did what she did, because she is consolidating a software push out for the ships, which is great, in an XML format. It makes perfect sense. You have approved the software approach, it’s standardized, now you can push it out and you don’t have to re-look at it again. Absolutely the right thing to do. We need to remember it’s done from an accredited system already, up front at the load, which is what they are supposed to do, and they do it well.
The Air Force’s Kessel Run DevSecOps environment is a mature and exciting effort that we are — to be quite honest — reusing their best parts. We all have to remember they have invested money, people, and infrastructure to make sure what is done on the front end, is done right. They took the time to establish standards, complete RMF approvals for the supporting infrastructure, develop mature funding lines… all to ensure they can develop application services in record speeds. We agree, and as I mentioned before, we proved the same concept in 2011, albeit from only the cybersecurity control review perspective... But, we are taking lessons learned.
I briefed my boss on the DevSecOps and agile construct to do a rapid approach to what I call continuous ATO. If I can have that consistency in a process of the software foundry and the approved production environment design, like Kessel Run has done, I need only accredit the process of how you are building the software application. As the software is developed, one would be looking at the software as you work with some things like Fortify or other software code review tools, checking it against other cybersecurity vulnerability detection tools as the code is developed so that by the time development is done, we don’t have to do the traditional accreditation — it’s already been done. Before the end of this fiscal year, we are going to have this pretty well-defined as to the process flow. Now we have taken a load and a burden off our workforce, our acquisition community, our development community.
I’m very passionate about this. I’ve seen the very best of things, and the very worst of things that’s why I am very passionate about taking the load off the end user to make sure we deliver a secure, safe capability so that we can do the mission, but to make sure the information is protected, the system is protected and resist the adversary as much as I can, so people can get their job done.
CHIPS: It very much shows. Thank you.