As of this week, the Department of the Navy has a new senior official in charge of fixing a broad array of IT and cyber governance shortcomings across the Navy and Marine Corps. And while he’s been given broad discretion to implement reforms across a vast portfolio of responsibilities, the two sea services should not expect to see wholesale changes overnight.
On Tuesday, Aaron Weis became the Navy Department’s chief information officer and special assistant to the Secretary of the Navy for Information Management — a new position officials created, in part, to respond to critiques in an outside review that found the DON’s cyber authorities and responsibilities were confused and fragmented.
Insight by Verizon: Learn about the progress that the Pentagon is making in finding real value out of 5G and its future across DoD.
The elevated position goes beyond the portfolio previous DON CIOs have had. Weis will also oversee four new directorates the Navy is creating within his new office: A chief data officer, a chief information security officer, a chief technology officer, and a chief digital and innovation officer.
In each of those areas, the department wants the new office to set coherent policies across the Navy and Marine Corps to create more unity of effort. But perhaps more importantly, the office will have explicit authority to approve budgets and enforce standards that align with those policies, said Thomas Modly, the undersecretary of the Navy.
“Just getting our arms around and enforcing data standards or basic cyber hygiene standards – an integrated and well-understood business system strategy for logistics systems, for example, or for our financial management systems – these are all things that are firmly enforced in corporations, and we’ve not been that way,” he told reporters this week. “We’re very distributed in how we do these types of things. If you look at our supply chain and the number of logistics systems that are in our supply chain, that don’t share common data, that have multiple interfaces, those are all cyber vulnerabilities. Those are the types of things that we have to just start. We just have to start knocking those things down.”
It’s too early to know what the “knocking down” process will look like in practice, but at least in the early days of the new CIO structure, Modly said he did not expect the Navy Secretariat to mandate large changes that would create “operational risk” within the services.
“Frankly, we’ve got a lot of basic blocking and tackling that we’ve got to do first…we’re a million person organization, so it is going to take time,” he said. “This is not something that we’re going to fix in a year.”
At the same time, Modly said he realizes he and the rest of the current team of political leaders are facing a potentially-short window. So, he said, he’s hoping to create basic organizational structures and governance processes that will make sense to that team’s successors.
“I’m looking at a 16 month window, because no one knows what’s going to happen in the election next year. Everything we do has to have so much logical clarity to it that anybody that comes in after us – they’re not going to try and devolve any of it,” he said.
In the cybersecurity readiness review the Navy publicly released in March, reviewers found anything but clarity in the way the department’s IT management had been structured. They said the Navy Department’s current posture leaves it highly vulnerable to the “existential threat” cyber risks pose to the sea services.
For example, until this week, there was no DON chief information security officer. And within the two services, CISO roles had been delegated to military officials who also had many other responsibilities.
“DON has no uniform or effective cybersecurity metrics to quantify the threat, influence resourcing, or operational planning. There is no overarching means to assess DON’s risk to mission, lives, or future planning based on ongoing compromises,” the review team wrote. “In best-of-class enterprises this would be unacceptable.”
Weis, who previously served as an industry CIO before taking his first position in the DoD CIO’s office a year ago, said he sees one of his main tasks as establishing clear accountability for performance across the department’s IT and cyber management portfolio.
“And one of the areas where I think we have to apply that is around how we architect, run and operate the infrastructure that we have here. We have to structure it so that we’re driving accountability around outcomes, and a capability-driven mindset versus a kind of a compliance mindset or a run-and-operate type of mindset,” Weis said. “It’s that accountability, coupled with visibility and ability to drive change through shaping of funds and strategy that we need to be able to apply here, and I think that’s been lacking in the Department of Navy.”
Congress has also been nudging DoD and the military departments toward consolidating and centralizing their spending decisions for IT and cyber. In addition to governmentwide mandates meant to empower and elevate CIOs, as part of the 2018 Defense authorization bill, lawmakers specifically barred the military services from buying IT systems that don’t comport with their CIOs’ technology standards.
Navy officials said they have already hired the leaders of the four new directorates that will report to Weis. They declined to name the new officials pending a formal announcement, but Weis said each of them will be on the job by Oct. 14.
“I’m looking at a combination of people,” Weis said. “We have some people who are coming from inside the department of Navy who bring broad depth of experience about how it happens here, and we’re also bringing in people from industry to fill some of those directorate positions. It’s that constructive tension that has to happen where we will test each other as a leadership team. We’re also going to have to understand and search for the best practices that already exist in the Department of Navy. This is a massive organization, and there are some pockets of real excellence. If we’re intellectually honest with ourselves, we’ll find those things and enable them as best practices. We don’t have to invent everything new.”
This year’s cybersecurity review found the DON CIO’s responsibilities were already fairly clear in existing law and Navy regulations. The problem, reviewers said, is that the office doesn’t have the authorities it needs to meet those responsibilities.
“The CIO currently does not have authority to set strict ‘Go/No-Go’ criteria, to which DON components must adhere in order to ensure unity of effort in addressing continuous threat vectors against DON’s multiple disparate but integrated networks,” they wrote.
Modly said it’s possible that he and Navy Secretary Richard Spencer may need to make changes to some aspects of the Navy Department’s organizational chart and lines of authority in order to deal with that problem, but he said it’s too early to say what those might be.
“That’s what I’m asking Aaron to do. He needs to let me and the secretary know what are the obstacles that he can’t get over for whatever reason, whether it’s cultural, legislative, policy, regulation, whatever,” he said. “That’s what we need him and his team to be looking at, and that’s what we expect them to do.”