The Department of Defense issued its first cybersecurity strategy Tuesday since 2015. On the heels of that, the Pentagon’s No. 2 in charge made it known to the defense industrial base that he expects the products and services DOD buys to come secure, just like the department expects them to be of the best quality.
“Cybersecurity is probably going to be what we call the fourth critical measurement. You know, we’ve got quality, cost, schedule,” Deputy Secretary Patrick Shanahan said Wednesday of how the DOD evaluates its acquisitions. “Security is one of those measures that we need to hold people accountable for. And it shouldn’t be that being secure comes with a big bill. Like we wouldn’t pay extra for quality, we shouldn’t pay extra for security. We’re in a new world, and security is the standard, it’s the expectation, it’s not something that’s above and beyond what we’ve done before.”
The new cybersecurity strategy, which supersedes the 2015 version, focuses on how the department will implement the priorities of its National Defense Strategy in cyberspace, particularly in defending against Russian and Chinese “persistent, aggressive cyberspace campaigns that pose strategic, long-term risks to the Nation, our allies, and partners.”
The strategy sets five objectives DOD will strive to achieve indefinitely into the future:
- Ensuring the Joint Force can achieve its missions in a contested cyberspace domain.
- Enhancing Joint Force military advantages through the integration of cyber capabilities into planning and operations.
- Deterring, preempting, or defeating malicious cyber activity targeting U.S. critical infrastructure that is likely to cause a significant cyber incident.
- Securing DoD information and systems, including on non-DoD-owned networks, against cyber espionage and malicious cyber activity.
- Expanding DoD cyber cooperation with allies, partners, and private sector entities.
“The United States cannot afford inaction: our values, economic competitiveness, and military edge are exposed to threats that grow more dangerous every day,” the cyberspace strategy says. “We must assertively defend our interests in cyberspace below the level of armed conflict and ensure the readiness of our cyberspace operators to support the Joint Force in crisis and conflict. Our Soldiers, Sailors, Airmen, Marines, and civilian employees stand ready, and we will succeed.”
Keynoting the Air Force Association’s Air, Space & Cyber Conference, Shanahan commented on his priorities in enhancing the department’s cybersecurity, particularly building up its talent base and the recent hire of CIO Dana Deasy, the former CIO of JPMorgan Chase.
“He prevented one of the biggest banks in the world from being robbed in cyberspace. Not an easy feat,” Shanahan said. “As we know, those hackers are relentless, almost as relentless as they are against us. Now he’s our chief information officer and we’re benefitting enormously from his deep experience with cybersecurity and artificial intelligence and having the knowledge and experience of operating at massive scale against committed adversaries.”
Deasy is also leading two of the Pentagon’s biggest IT initiatives as well: the development of its Joint Artificial Intelligence Center and the $10 billion Joint Enterprise Defense Infrastructure acquisition of commercial cloud capabilities.
‘Embrace enterprise solutions and speed’
The other element Shanahan spoke about was “understanding where our big risks are in our [Department of Defense Information Network].” As required in the 2018 National Defense Authorization Act, the Pentagon conducted its first “cyber posture review,” which showed where its major gaps are and ultimately led to the new cyber strategy. “We know where they are,” he said. “I would just offer to everyone here that we have plans to address the vulnerabilities.”
Cybersecurity is just one part of how technology plays into the National Defense Strategy. Shanahan talked also about the overall modernization of the department and military services and how that can drive more efficient and effective mission outcomes, and ultimately lethality.
“I’d urge this audience the embrace enterprise solutions and speed,” he said. “Many of the back-office HR and materiel management systems that industry has deployed over the past decade are ripe for our adoption. It’s what I call R&D: ripoff and deploy. A custom, federated approach is a trap. Our teammates deserve a modern environment, the department deserves standardization, and the taxpayers deserve the corresponding dividend.”
In particular, the next few weeks, he said, could largely shape future of U.S. defense in the buildout of the “strategy-driven” fiscal 2020 budget.
“But it’s more than a budget request. It captures programming, it integrates plans to transition from technology demonstrations to development to fielding with outcomes and timelines necessary to dominate a new era of great power competition,” Shanahan said. “Now is the time to make choices about we will and won’t do. Those choices, as reflected in this budget, will determine what our military looks like for the next 50 years. And we ‘ve got 10 weeks to complete it.”