As the use of mobile devices and services pervades the lives of civilians and military personnel alike, the Department of Defense is taking a more endpoint-driven approach to how it secures its networks, developing a forthcoming enterprise cybersecurity strategy focused specifically around the gadgets people use.
DOD CIO Dana Deasy said Monday, “One of the things I keep stressing is we have to step up and face the reality about the world around us becoming more and more mobile, each and every day.” And it’s getting to a point where DOD must begin to embrace mobility, even if it means added security challenges.
“I truly believe, whether we’re ready to have all the solutions in place, mobility is a way of life,” Deasy said at the Defense Information Systems Agency Forecast to Industry. “The fact is that it permeates every aspect of our life, it permeates the way we conduct our lives. And I think the reality is that the warfighter is going to need mobility out at the tactical edge. I think we’re going to need to support mobility in a way … where we can make sure from point A to point B the information can get out to the mobile device in a secure manner. So I see it as an integral part of the future.”
Asked what that means for cybersecurity of the sprawling Department of Defense Information Network (DoDIN), Deasy said his office keeps a list of the top-10 cyber risks across DOD and “you won’t be surprised if I told you it starts with the endpoint.” Looking at the DoDIN, he added, “you realize there’s a lot of different types of endpoints,” from weapons systems and traditional laptops to new smartphones and Internet of Things-connected devices.
“It’s a relatively complex space, primarily because the department is a complex ecosystem,” said Lisa Belt, acting director of DISA’s Cyber Development Directorate. “The department has done really good work on securing over time traditional endpoints.”
But that landscape is quickly and constantly evolving. DOD has prioritized how it will approach newer, nontraditional endpoints based on the recently released Department of Defense Cybersecurity Analysis and Review framework, Belt said. That should be recognized in the forthcoming enterprise cybersecurity strategy, which will be issued by Deasy’s office, though Belt wasn’t sure when.
“The strategy aims to lay out that environment in its complexity, what can and should be done to get after each of those pieces and to integrate those where possible,” she added.
Through the results of that prioritization, “We’ve moved out and started getting after [endpoint detection and response] and containment as two of the key areas,” she said. DISA has also launched pilots with military services in those areas.
“So we’re learning about what’s working there and what isn’t,” Belt said. “Expect to see some acquisition strategies refined in this space as we move forward over the next three to six months.”
Identity, credential and access management will be another big part of securing DOD’s mobile ecosystem, particularly in moving away from the traditional common access card to something that a smartphone or tablet can more readily work with to prove a service member is in fact themselves, Deasy added.
He often jokes with his team by pulling out his CAC card and saying, “I’m not sure how I’m going to plug this into my mobile device,” he said Monday.
“It really does talk about the fact that I believe mobility is going to become ubiquitous, the devices out there are such that we’re going to have to move to a strategy of identity, credential and access management that moves us beyond the physical CAC,” Deasy said. “I believe the mobile device is the device that’s going to become the predominance of how we work and interact and communicate across the department going forward.”