The Defense Department is telling weapons systems providers and mission owners to secure them or risk being taken off the network.
This is part of the DoD chief information officer’s office latest effort to make the security of weapons systems and other non-traditional systems a higher priority.
Dr. Kelly Fletcher, who was the principal deputy CIO at DoD until this week when she moved to the State Department to be its CIO, said cybersecurity hasn’t been consistently applied to weapons systems over the years.
“We’re partnering with [the Office of Undersecretary of Defense for] Acquisition and Sustainment to get after this, and we’re trying to make sure that there’s zero trust principles for our weapons systems as well as our networks,” Fletcher said at the recent INSA/AFCEA National Security Summit. “The place where I think we’re driving success is with the current administration, there’s a big support to enforcement. Frankly, I think the challenge we’ve had in the past is that we’ve had these requirements, but they just haven’t been prioritized. We’re not perfect on hitting all of the requirements. I think cybersecurity requirements haven’t been prioritized, and I think that’s been true when systems are in operation and I think that’s true when systems are being designed. Right now, what we’re doing is we’re finding those systems that are being sustained that don’t have appropriate cybersecurity controls and we are using the authorities that we have to take them off the network, to make sure that they cannot operate until they do have these cybersecurity controls.”
Fletcher said by taking this more rigorous, even more hardline, approach, it’s clear there’s some new rules around cybersecurity whether DoD and its vendors are building a plane or an IT system.
Every agency CIO has the authority to disconnect systems that don’t meet cyber requirements. But a threat of disconnection is much different than actually disconnecting the application.
Balancing mission and cyber requirements
Fletcher said while it’s something they haven’t done very much in the past, they now are becoming more aggressive in taking action as a part of the culture change the CIO’s office is pushing.
She said finding the right balance of meeting mission needs versus meeting cyber requirements is something that the DoD CIO’s office understands inherently.
“We are not taking things off if there’s a mission being supported. But we’re going to get after with alacrity. We’re going to shine a light on it. We’re going to bring in the experts and they’re going to fix it,” she said in an interview after the panel. “In some cases, we haven’t pulled things offline, even when they failed. But what we’ve done is flood resources in and leadership attention to fix it rapidly.”
Fletcher declined to offer any specifics about which or how many systems the CIO pulled off line, but did say they have turned up the enforcement requirements in a more stringent way than they have previously.
The DoD inspector general and the Government Accountability Office both issued reports in early 2021 of DoD’s efforts to secure its weapons systems.
In February 2021, the IG said the services “regularly obtained and analyzed cyber threats from various intelligence agencies to assess potential operational impacts to the weapon systems, and, based on their analysis, updated cybersecurity requirements to account for additional countermeasures implemented or needed to protect the weapon systems from the identified threats.” At the same time, however, the IG warned that because of the time it takes to develop a weapons system, DoD program owners must develop plans to reduce cyber risks.
A month later, GAO found that while DoD made some progress, it was falling short in consistently incorporating cybersecurity requirements into contract language. Auditors said they found some contracts that had no cybersecurity requirements when they were awarded and DoD added only vague requirements later.
A year after those reports, DoD Undersecretary of Defense for Research and Engineering (USD(R&E)) launched a new information portal, called the Cyber Resilient Weapon Systems Body of Knowledge (CRWS-BoK) Portal Version 1.3, to help the workforce in the engineering of cyber resilient weapon systems.
Managing technical debt
This effort, whether for weapons systems or traditional IT systems, is part of the broader effort by DoD’s senior leadership to shore up cyber vulnerabilities.
“We’ve had a lot of conversations about how do we make sure that we have the right funding to get after these vulnerabilities? The way that we program in DoD, it takes years to get a specific line to do this specific activity. Well, what we’re finding is a lot of the things that we need to do, there in the sustainment funds that are available now. It’s just a matter of choosing to prioritize and getting after vulnerabilities rather than providing new capability, or getting after vulnerabilities rather than doing something else with these sustainment dollars,” she said. “It’s really a question of priorities. Right now, the priority of the department is ensuring that we’re modernizing and because we’re seeing leadership attention on this, because we’re looking at it with data driven metrics. We’re seeing a lot of big progress.”
At the same time DoD is holding mission offices and vendors more accountable for cybersecurity, it also is addressing the years of technical debt it manages.
“We’re looking at latency across the network, which you can measure that. There’s all sorts of sensors that we have in place already that are giving us hints as to what the problem is,” she said. “But now we are actually compiling those and using them to inform how we devote our resources in the future to solving these problems.”
New IC framework coming
The Intelligence Community is experiencing a culture shift of its own. Lori Wade, the chief data officer for the IC, said at the INSA/AFCEA event that the change is focused on how they work with industry.
Wade said the IC will release a new IC-private sector framework to help further drive innovation.
“The idea behind that is so that when we look at the partnerships, relationships and engagement and how we are doing that as an IC around what priorities against the National Intelligence strategy, against the DNI priorities, against the intelligence, planning guidance, how are we organizing, not only within the IC, but with our private sector partners, and in a different way?” Wade said. “The framework is about how do we pull that approach together, and then where do we look at where there are barriers of which we’ve doing that, like in the past. How do we work with our partners in a co-innovating way, and not just looking at our partners in the private sector as vendors? How are we actually taking big issues big areas, against our adversaries to them and working with them to do look to the future? The focus is not just on the now issue, I need this kind of like capability delivered today, but how are we really looking at the next decade.”
Additionally, Wade said the framework details the IC’s philosophy about how it wants to work with the private sector, such as implementing a vendor front door to make it easier to match needs with technologies or services.
She said the framework also will lay out the IC’s communication plan to ensure industry understands what success looks like both from actual examples and from metrics the IC will lay out.
Wade said the framework is in the final stages of approval but couldn’t offer any sort of timeline for release.
“The other program that has just rolled out about two months ago for the intelligence community is the Public Private Talent Exchange. This is a program that’s going to be focused on what are exchanges of talent between the private sector and the intelligence community officers, where we could send intelligence community officers into the private sector, and do work against mission areas at all levels on class secret and top and vice versa, bring in the private sector into the IC to work big hard problems,” she said. “This is something that’s rolling out. We’re trying to be very intentional and plan for that. We have a data driven approach to how we’re addressing the talent and expertise challenge that we’re facing all of us, quite frankly.”
“If we look from the way this strategy will focus us on that deliberative planning of the data from the point of collection all the way through to exploitation, but also to disposition. If we start with that in mind, we start to really be deliberative in our planning about the data and understand from the point of collection what the real classification of the data is,” she said. “If we make a plan for the data at the beginning and that plan takes into account who needs the data, why was the data being collected to begin, where does the data need to go ultimately, and if the goal is to unlock commission value and provide insight at speed, and needs to scale securely, the data flow will go to where it needs to go.”