Terry Halvorsen, the chief information officer for the Defense Department, said his biggest problem when it comes to cybersecurity is turning around the supertanker of Pentagon culture — figuring out how DOD can learn from agile and adaptable commercial enterprises while also defending the vast edifice of military IT networks from rapidly advancing cyberthreats.
Halvorsen talked about his efforts to change that culture Thursday, highlighting a number of areas inside and outside DOD where things have improved while admitting that much more work needs to be done before he feels comfortable about where the department stands when it comes to technology and security.
Even low-hanging fruit like securing the Pentagon against low-level attacks and ensuring high levels of cyber hygiene becomes a multiyear effort at the vast and sprawling DOD, he said.
“Getting to a point where we bring on the autonomous security piece, that’s an 18-24 month plan,” he said, adding that completion wouldn’t secure military networks against high-level, tailored and reactive attacks. “We will have eliminated much of the canned attacks that are somewhat successful,” he said.
“The biggest thing we have to do is develop an enterprise culture,” Halvorsen said at a media roundtable held by the Christian Science Monitor. “Cybersecurity is a big piece of that and we have to get much better.”
One of the ways he is looking to do that is through establishing a “culture of cyber discipline,” which leans on initiatives drawn up inside DOD to raise the level of cybersecurity knowledge among its own personnel as well as reaching out into industry to figure out how the department can move faster.
Halvorsen admitted that things aren’t moving fast enough: He wants to get to a point where security automation is in place to defend against attacks that happen around the clock.
“The big difference in cyber is it moves faster than any other warfare experience,” he said. “The things that we do today in cyber probably wont be the same things that we do tomorrow.”
Another hindrance to DOD, according to Halvorsen, is the cost associated with moving slowly. Halvorsen talked about the need to remove labor costs linked to things such as data center upkeep, which is needed due to the shrinking field of IT workers that know how to work with DOD’s legacy systems.
“It is much less expensive for someone to attack us than it is for us to defend,” He said. “We’ve got to turn that around. Today, we are really on the wrong side of that.”
The process of turning things around has come with a concerted effort to bring industry in beyond the usual methods of procurements and requests for information. Halvorsen said IT personnel from various companies have been brought in on six-month tours to help with everything from security automation through software-defined networking to teaching the “cyber economics” of what goes into securing large enterprises.
This push for holistic understanding is made necessary because in IT, the DOD is not a market influencer in the same way it is in sectors like weapons systems or combat vehicles.
“If you are buying a submarine, we kind of own that market,” he said. “If you are buying software, we don’t own that market.”
Along with personnel from bigger IT companies, the DOD has also been working to bring aboard small businesses and startups based in Silicon Valley through its Defense Innovation Unit – Experimental office. Halvorsen said since it opened earlier this year, DOD has been using the office to learn how to move faster in its business cycles to take advantage of the innovations that come from startup hubs around the country.
“If you are a small business and you are innovating, you are working on a three-to-six-month funding cycle,” he said. “We’re generally not turning that fast. One of the things we are trying to do out there [in Silicon Valley] is [figure out] how do we make the smaller investments that we have to be faster on.”
Halvorsen said despite the huge resources he is working with, help from all avenues of the private sector has been vital to standing up a better cybersecurity presence within the department.
“I do think American industry responds to DOD very well,” he said. “We have industry with us on the forward edge. When you talk to the industry, most of them are very happy, grateful even, to support the mission.”
It’s a mission that Halvorsen said is going to take 18 to 24 months before they can eliminate the onslaught of cyberattacks, but one in which he knows he doesn’t have the option staying with the status quo.
“It’s an important part of our business and a important part of our culture,” he said of cybersecurity. “You have to go there with the right tools and the right understanding.”