Several Pentagon cybersecurity leaders made clear Tuesday that they’re getting impatient with the military’s IT security posture and that 2019 will be a year of action on the Department of Defense cyber front.
“If last year, maybe the theme was on strategy, I’d say this year’s moniker is a bit different,” Brig. Gen. Dennis Crall told the Senate Armed Services Committee. “This is about implementation. We know where we need to head. We know the pacing we have in front of us. But it’s now time to show results. So I would say this is the year of outcomes. And that’s what we’re focused on: Delivering the capabilities and improvements that we’ve discussed for some time.”
Crall, the deputy principal cyber adviser to the secretary of Defense, cited last year’s release of the DOD Cybersecurity Strategy as the guide for the gaps the department currently faces in the cyber domain, plotting a course for how to “get after them.”
“We have actionable lines of effort that come from our cyber strategy,” he said. “These are things that we can do and that we can measure our progress against. And that’s what we’re focused on.”
Defense CIO Dana Deasy — testifying with Crall and Vice Adm. Nancy Norton, head of the Defense Information Systems Agency — echoed that strategy in his remarks. There’s a sort of perfect storm occurring at DOD, he said, where the right pieces are in place to take solid action against the military’s persisting cybersecurity deficiencies.
“I think we have for the first time a series of things that are going on well” to address cybersecurity, Deasy said. It starts with top leadership at the department, to include acting Secretary Patrick Shanahan. “You need the top of the house to be highly engaged on this,” he said.
Shanahan, who has held the top job since the departure of Jim Mattis earlier this month, was also responsible for overseeing for much of the Pentagon’s cybersecurity strategy development in the past year as the chair of a DOD CIO-cyber working group. “He personally, before his new duties came into play, chaired that meeting,” Deasy said about Shanahan. “He was at it every week. He would look for the metrics. He was quite the tasker of ensuring the activities were getting done. And he’s done a very strong handoff now” to acting Deputy Secretary David Norquist, who served as DOD’s comptroller before that.
“One of the things I have been incredibly pleased with since joining the department is to see the top of the house be extremely active on what I’ll call a very frequent basis, i.e. weekly, in the engagement of all the activity that you’ve heard us talk about today,” Deasy explained.
A step down the chain of command, DOD cybersecurity leadership is anxious to act.
“You have a set of leaders who are very impatient, including myself, that are done admiring the problem and are moving into tasking,” Deasy said.
The 2018 National Defense Authorization Act gives the DOD CIO enhanced authorities to oversee and certify IT and cybersecurity budgets and set standards across the entire military. Deasy said he plans to take advantage of his new authority this year, which “enables me to ensure the Department is pursuing enterprise cybersecurity solutions that are lethal, flexible, and resilient.”
“This is including being less tolerable on people being able to go on and use their own solutions,” he said. “The authorities that you all gave me starting this year around being able to set architectural standards is quite significant. We are now starting to use those new authorities.”
With that authority, Deasy told lawmakers they should expect “a lot of noise in the system.”
“For years … we have allowed services and various components to roll and implement unique solutions that maybe aren’t interoperable, or stand alone,” he said. But the new authority allows Deasy to set both the standards and the architectures for components and the services to follow.
“We are going to drive those standards, we are going to drive implementation, and we know there are going to be people who are very uncomfortable about the fact that we’re no longer going to allow them to stand up their own architectures or solutions,” Deasy said.
This enterprisewide standardization and centralization of IT architecture and policy — a”unity of effort,” as Crall put it — was a recurring theme in each of the leaders’ remarks Tuesday. “We’ve turned a corner on that,” Crall said.”Even well-intentioned people doing business in opposite directions puts us in a fix.”
Norton said the Joint Force Headquarters DOD Information Network — the Pentagon’s organization responsible for defending its thousands of interconnected networks, which she also leads in a dual-hat capacity in addition to DISA — will benefit from added centralization and standardization.
Aggregating those many DOD networks for better visibility into the department’s cyber posture is extremely complicated, she said, mainly “because technology doesn’t necessarily make that easy — [components and services] all acquire those in different ways.”
However, the added focus on standardization will make it easier to bring together the disparate networks and their data, Norton said. “That gives us at JFHQ-DODIN a much better understanding of what everybody’s cyberposture is across all of those networks.”