A trio of Defense Department IT heavyweights told senators at a Jan. 29 hearing that the agency is tightly focused on implementing the cybersecurity strategy it unveiled last year, and they expressed a high degree of confidence that their efforts in 2019 to implement that strategy will drive security improvements.
The strategy, released in September, sets forth five objectives for DoD, including ensuring the military can achieve its missions in contested cyberspace, integrating cyber capabilities into planning and operations, deterring and defeating cyber activity against U.S. critical infrastructure, securing DoD systems including non-DoD-owned networks against malicious cyber activity, and expanding DoD cyber cooperation with allies, partners, and private sector entities.
Focus on Cyber Strategy
At last week’s hearing of the Senate Armed Services Committee’s cybersecurity subcommittee,
Marine Gen. Dennis Crall, who is principal deputy cyber advisor and senior military advisor for cyber policy, said DoD’s focus in 2018 was on publishing the cybersecurity strategy and posture review, and that “this year’s moniker is about implementation. It is time to show results, this is the year of outcomes.”
“We have actionable lines of effort from our cyber strategy … that is what we are focused on,” he said. And he warned that 2019 won’t be a good year for “stove-piped solutions,” or “those who like endless pilots, pathfinders, and experiments that lead to nowhere.”
“I do agree that there is a sense of optimism” at DoD that executing the new strategy will bear fruit, he said, adding, “I think the department has turned the corner.”
IT Modernization Priorities
Dana Deasy, DoD’s CIO, explained the department’s aim to improve cybersecurity as part and parcel of the larger goal of IT modernization.
“Cybersecurity is at the heart of the digital modernization of the Department of Defense,” he said, and explained that the broader goal of digital modernization includes a range of efforts that will also impact security including further adoption of cloud services, and development of AI technologies and next-generation command and control capabilities. “This is a highly integrated set of things we are doing,” he said.
Deasy emphasized that additional authorities given to his office under the 2018 National Defense Authorization Act (NDAA)–including authority to set IT standards for all military services and to review their IT budgets–also are key to the modernization effort.
But he also stressed that the largest linchpin to creating better cybersecurity is action to speed IT modernization overall.
“Legacy [IT technology] is the biggest challenge,” he told senators. The new authority for the DoD CIO office “allows my office to establish standards and architectures … We are going to drive those standards,” he pledged. “We know there are people who will be very uncomfortable that we will no longer allow them to set up their architectures and systems,” he said.
“I used to think that starting things was the most difficult part,” added Gen. Crall, “not stopping them,” in a reference to the larger goal of moving away from legacy systems.
“Welcome to the Federal government,” quipped Sen. Kirsten Gillibrand, D-N.Y., in return.
“The days of people rolling their own solutions … has to be revisited,” Deasy said. And the “days of debating” about tools has to stop, and “we have to move to the implementation phase,” he said. “We need to spend all the time talking about how to get the work done.”
Supply Chain Security
Deasy told senators that supply chain security in the defense industrial base (DIB) is one of his “top ten” areas of concern, and that the Pentagon needs to treat its subcontracting base the way it does its own IT, especially contractors that are below the “tier one” level.
“There is a task force working on how we handle that,” he said, including contracts and forensic aspects of the problem. “Where the issue is for us now, as you go down through subcontracts … do they have the ability to defend themselves,” he said. “The question is what should we be doing to help them defend themselves,” he added.
“This is a massively large supply base,” he said.
Deasy said DoD has “some thoughts about bringing them [contractors] into a cloud of our own” in order to improve the supply chain security environment. “We are in active conversations about how to do that,” he said, adding “we are in early days on that.”
The CIO’s comment about a possible contractor cloud was in line with a statement in November 2018 by by Thomas Michelli, acting deputy CIO for cybersecurity at DoD, that talks were being held at the Pentagon to improve supply chain security by providing a “government furnished cloud” for contractors to use.
Other ideas being discussed, Deasy said, include having third-party companies perform contractor cybersecurity evaluations. AI and machine learning, he offered, could also be part of that mix, but he said those ideas are “very much in the early days.”
Sen. Mike Rounds, R-S.D., chairman of the subcommittee, delivered a strong pitch to the DoD IT leaders to turn to the private sector for security technologies. “We did this open hearing to show how big the challenge is,” he said. “This is not something that can be done by the DoD alone,” but also requires industry coordination, he said.
Vice Adm. Nancy Norton, director of the Defense Information Systems Agency (DISA), told subcommittee members that DISA maintains a “robust partnership” with industry that is “critical” to bringing necessary capabilities to DoD.
Sen. Joe Manchin, D-W.Va., ranking member of the subcommittee, told the DoD officials that the agency’s cybersecurity strategy and its focus on a “common security architecture” was helping DoD to turn the corner in its drive to improve network security.
And he said the agency needs to improve security in its supply chain, recruit and train experts in cyber warfare, and figure out how to better apply artificial intelligence and machine learning technologies.
“We’ve talked about these for a long time … Now, finally, the department may be prepared to take real action,” the senator said.