While the Pentagon continues to build its cybersecurity capabilities, not everyone within the agency’s departments is prioritizing meeting cybersecurity standards, said David McKeown, the Department of Defense’s (DoD) senior information security officer and deputy chief information officer, on Friday.
“We publish capability planning factors, where we outline what services and agencies are supposed to do, and that means put your money where your mouth is. You have to fund things that are going to solve the problem,” said McKeown.
The official explained at an AFCEA NOVA event on Dec. 13 that standards required to be met by military services are laid out in a five-year plan called the Capability Planning Guidance, which is issued by the Chief Information Officer’s (CIO) office. If services’ reports back to the CIO’s office show limited work toward these requirements, it can result in withholding budget approvals.
“There have been two occasions over the last several [budget and planning] cycles where my boss, the CIO, has sent a warning to a service secretary that we may not certify your budget because you are not adequately addressing this requirement,” said McKeown. “That’s a pretty big deal, and it gets their attention, and they quickly rectify that.”
Funding cybersecurity protocols often means that money that would be going elsewhere is diverted toward meeting requirements, McKeown acknowledged. And he said that other channels for funding initiatives outside of cybersecurity requirements, such as through the Zero Trust Portfolio Management Office, help “advocate” for funding shortfalls.
“We know that even inside the services we’re often robbing Peter to pay Paul. When we tell them do something like [meet requirements], something else is probably going to fall off,” McKeown said.
More recently, leadership has started paying more attention to the need for cybersecurity improvement, added McKeown.
“There’s an increased awareness, a lot of the top leadership is getting it,” he said. “I’ve heard acquisition professionals tell me that ‘we know about these cyber vulnerabilities and they’re critical’ … I think more and more people are hitting the ‘I believe’ button.”
Air Force Brig. Gen. Heather Blackwell, deputy commander of the Joint Force Headquarters-Department of Defense Information Network (JFHQ-DODIN), said that she has also witnessed commanders show a greater understanding of the need to treat network security like “cyber terrain.”
“I can’t do command and control for 3.2 million endpoints, all for my 450 person headquarters workers,” said Blackwell. “So we have organized this battle space … so that I have a single commander that I can go to, to say ‘you have not done your cyber hygiene like we asked you to do, you have a compromise … because it’s all connected,’ so making sure that somebody owns that terrain is one of the biggest pieces.”
Training commanders and service leadership on cybersecurity and educating on the need for increased security can raise awareness and address gaps in standards, Blackwell and McKeown said.
“Tabletops are a good start, the red teaming is a much better start,” said McKeown. “I wish that weapon system platforms and crypto infrastructure platforms constantly were red teaming their own things and then fixing those things … we need more of that as we go forward.”
“The most important element is the people,” said Blackwell, noting the importance of training and education. “You can sprinkle all those data analytics and machine learning and artificial intelligence. Compound that you don’t have the people to look at that data and make decisions and take actions, then we are not going to be agile enough for when and if a crisis does occur.”
