AI for ATO: Pentagon seeks AI to streamline cumbersome cybersecurity processes - Breaking Defense

WASHINGTON — Both machine learning algorithms and other, more deterministic forms of automation have a major role to play in streamlining often cumbersome cybersecurity processes, especially getting software a formal Authority to Operate on Pentagon networks, defense officials said this week.

“We need tools and capability and AI to make that faster and less expensive,” said Katie Arrington, who’s currently performing the duties of the Pentagon CIO, in a high-energy address to the Billington Cybersecurity Summit. “Why am I so hell-bent that I’m getting an automated ATO and reciprocity? You, as a taxpayer, pay for ATO.”

An ATO is the cybersecurity seal of approval required before a new piece of software is allowed to operate on a Pentagon network. The process can often take a year or more, which is long enough that new cyber threats can arise and render once-secure software obsolete. Once an ATO is granted, it may be years before anyone manages to follow up and check that the software is still safe to use.

But one Marine Corps program manager said at Billington that his team is using automation to help get to ATO in less than a month — sometimes much less.

“We’ve compressed the timeline for a traditional ATO package down inside 30 days,” said Dave Raley, head of a team called Operation Stormbreaker at Marine Corps Community Services. “We’ve seen where the Marine Corps AO [Authorizing Officer] approves a package in 24 hours.”

The agencies of the Intelligence Community are also looking at AI and automation to speed the ATO process, among others, said the IC’s CIO, Doug Cossa.

“For the community, we’re doing ‘espresso ATO,’ which is the minimum set of controls that you would have in place to automatically get your authorization,” Cossa told the Billington conference. “Right now, while we define those, it’s a manual process. We’re looking to automate that evaluation … over the next year.”

The ultimate goal, Cossa said, is an automated process similar to getting your car’s emissions checked: You hook the software up to the diagnostic system and see whether the light turns red or green.

ATOs aren’t the only cybersecurity processes getting sped up with AI. Alexei Bulazel, the National Security Council’s senior director for cyber, noted that last month DARPA announced the final results of its AI Cyber Challenge, in which seven AIs competed to find and fix problems in 54 million lines of code from real-world software. Before the contest, DARPA coders deliberately introduced 70 cybersecurity vulnerabilities into the code: The AIs collectively found 54 of them (77 percent) and auto-patched 43 (61 percent). That’s far from perfect but definitely enough to be helpful to overworked humans trying to find all the problems by hand. Even more impressively, the AIs found another 18 vulnerabilities that DARPA hadn’t put there, genuine “zero day” threats, of which they auto-patched 11.

That said, speeding up the process takes more than new technology, Raley and other speakers at the Billington conference emphasized. Whoever’s building the software, for instance, needs to practice what’s known as “agile methodology” or DevSecOps, named because it relies on constant interaction and feedback between software developers, cyber security professionals, and the customer/end user/operator. They also need to document what they’re doing and present the Pentagon, not just with the software product itself, but with an array of supporting “artifacts” that testify to its cybersecurity soundness, such as a Software Bill Of Materials (S-BOM) — the digital equivalent of the nutritional and ingredients label on a box of cereal.

The Pentagon’s new Software Fast Track (SWFT) initiative, established by Arrington in April, aims to institutionalize many of these best practices, as well as applying automation.

“The goal there is to ask vendors who really want to get in quickly to give us all of these things [up front],” Dave McKeown, the Pentagon’s chief information security officer, explained. “Show us that you’re doing SSDF [Secure Software Development Framework]. Show us that you have an S-BOM. … We can leverage AI sort through those very quickly and come to a conclusion.”

The next step, McKeown said, is a radical overhaul of the cybersecurity Risk Management Framework, another labor-intensive process of human bureaucrats checking off items on a checklist. “We’re looking to blow up RMF — which, by the way, is not getting rid of it, [but] to change the focus of it from compliance and checklists and humans to cybersecurity and cyber survivability and automation,” he said. “AI will play a big part there to help us continuously monitor [software], help validate the system, secure [it] at inception, and then maintain security over time.”

The stakes are high, McKeown told the general session at the conference: “If we don’t adopt AI and stay ahead of the AI race, China’s gonna kick our butts, and we’re gonna lose our position in the world.

“AI is something we all need to embrace and dive in on, start leveraging in whatever way we can,” said McKeown. “Like Frank’s Red Hot Sauce, we should be trying to put AI on anything that you can.”