As cyber threats evolve at lightning speed, Defense Department (DoD) Chief Information Security Officer (CISO) David McKeown unveiled his top ten cyber priorities, with cryptographic modernization (CM), zero trust, and defense industrial base (DIB) cybersecurity at the top of the list.
During his keynote session today at the AFCEA Tech Summit in Washington, D.C., McKeown provided insights into the DoD’s latest efforts to advance these critical areas.
CM Tops the Chart: A Foundation for DoD Cyber Efforts
CM stands as a top priority for the DoD CISO, who sees this area as “foundational to the department’s cybersecurity efforts.” However, he acknowledged that it’s a long and arduous process.
“The hardware and software that we use for securing our nation’s secrets takes a long time to develop and test … and we constantly have to stay ahead of the game,” McKeown said. “If an algorithm reaches its effective point, it takes a long time to develop a new one, so we’ve got to think ahead as to what the adversary might be working on and develop algorithms that are there in time to meet the adversary’s ability.”
CM at the department – which is overseen by the National Security Agency – is the process of upgrading DoD cryptographic systems to better safeguard sensitive information and devices. This process typically takes an average of eight to 12 years to complete, depending on factors such as the number of devices, products and platforms involved, maintenance and facility capacity, and the complexity and scale of the networks.
Additionally, as part of its CM efforts, the DoD is particularly interested in developing, testing, and integrating “new quantum-resistant cryptographic solutions to outpace our adversaries’ capabilities to disrupt and compromise our national security systems,” according to McKeown.
While quantum computing technology is still a bit of a distant reality, it gets closer every year, according to McKeown, making its mitigation a top priority for the DoD.
Runner Up: DoD’s Ambitious Zero Trust Goal
Ensuring defense components and services meet the DoD’s fiscal year (FY) 2027 zero trust goal is McKeown’s next top priority, with efforts already ahead of schedule – three years ahead, in the Navy’s case.
On Tuesday the Department of the Navy’s Flank Speed cloud service became the first to achieve full compliance with the DoD’s zero trust goal by meeting all 91 targeted zero trust capabilities, hitting a major milestone about three years ahead of deadline.
“They met 151 out of 152 capabilities. So, they overshot the targeted and they’re one activity short of an [advanced] environment,” McKeown said.
Former DoD Chief Information Officer (CIO) John Sherman set an ambitious goal in 2022 to implement a zero trust architecture across the entire department by fiscal year (FY) 2027. To reach target level zero trust defense agencies must meet 91 capabilities – 152 for advanced zero trust.
“We’ve asked each organization in the [department] to develop an implementation strategy, which we’ve reviewed, we check their … zero trust [budget] and all that’s going to really well,” he said, adding that this year defense agencies will be required to submit an updated zero trust implementation plan.
DIB Cybersecurity Takes Third Place on DoD CISO’s Priority List
Third on his list is the DoD’s efforts towards establishing a secure, resilient, and technologically superior DIB.
Part of that effort is bringing the goals outlined in the department’s DIB cybersecurity strategy to fruition. Along that line of effort, McKeown announced that an implementation plan for the strategy will be unveiled soon.
Earlier this year, the department unveiled the DIB cyber security strategy – the first-ever strategy to enhance cybersecurity across the DIB.
The strategy outlines four goals aligned with this effort, and according to the department, the goals are key objectives that will guide DoD’s efforts to defend the nation and maintain a technological advantage.
“We’ve established governance constructs, including a DIB executive steering group that helped develop this entire strategy. We also just developed the corresponding implementation plan, which is in the final phases of department-wide approval,” McKewon said.
He also announced that the DoD Chief Information Office will soon take official command of DIB cybersecurity efforts. To date, the CIO has held this role in an acting capacity.
“The DoD CIO is about to be appointed as the lead for DIB cybersecurity. We’ve been acting in that role, but we’re going to receive an official memo signed by the [secretary] any day now,” he said.
