The Defense Department’s biggest challenge around cybersecurity has nothing to do with technology.
Terry Halvorsen, the DoD chief information officer, said the military needs to establish a culture of cyber discipline.
“We are really trying right now to make sure that people understand — you have to go to the Internet, it’s an important part of our business, it is an important part of our culture, but you have to go there with the right rules and right understandings,” Halvorsen said Oct. 29 at a breakfast sponsored by the Christian Science Monitor in Washington. “Maybe the biggest thing we have to do in DoD is develop an enterprise culture. Cyber is forcing us to think different about that. Unlike other areas, cyber truly is enterprise because it’s connected and you can’t help it. It’s going to be a connected piece. We have to get much better at that at DoD. We have to think about what it means to be an enterprise, where we will act as an enterprise and under what circumstances are we doing to act as an enterprise. That gets us to mission, security and cost effectiveness.”
To that end, Halvorsen said Defense Secretary Ash Carter and Joint Chiefs of Staff Chairman Gen. Joseph Dunford earlier this month signed the DoD cybersecurity implementation plan focused on tools, culture and training.
“First of all, we go after the basics. The basics include things like higher education levels and more tools around some of the common attacks like spear phishing, setting up fake websites and things like that,” he said. “Step 2 raises it to the next level where we really start looking at more advanced attacks and how do we prevent those. It’s the same type of combination of training, education and tools, but they are just more advanced and you have to have more education and training. And it’s really also educating leaders at every level, what their responsibilities are and what they need to know.”
Halvorsen said it’s ensuring the units are prepared to deal with cyber threats, similarly to the way the services prepare units for non-cyber missions.
A scorecard for cyber discipline
DoD also is establishing a scorecard to measure how leaders, units and commands are doing to establish that cyber discipline.
He said he recently presented to Carter and senior staff the plan for the scorecard and how those measures will evolve over time as DoD improves its cyber discipline.
“This is really one of our first attempts to really measure that consistently across all levels and across all forces. It includes combatant commands, each of the services, the agencies, everybody gets to be measured,” Halvorsen said. “It’s an interesting drill because it’s an area where we were used to measuring readiness in other areas but we frankly weren’t doing that for cyber. I don’t think that should surprise anybody. Cyber is a relatively new warfare. If you look at the history of aviation, look at the history of how we developed nuclear, it took us awhile to get to this point. The biggest difference with cyber that we are having to react to is it moves faster than any other warfare. That is a challenge. The things we do today in cyber probably will not be the same things we do tomorrow.”
Halvorsen said this change isn’t just impacting the military, but its contractors as well.
He said in a recent cloud security document, industry wanted to know how long will the policy be in place. He said the policy is good for as long as it addresses the threats and vulnerabilities. Once it doesn’t, DoD will change it.
“It has accelerated change and we are generally not good at it,” he said.
Holding executives more accountable
The development of training and metrics for cybersecurity comes as Halvorsen also is promising to hold executives more accountable for IT security problems.
Halvorsen said in June that he intends to implement measures that will hold both users and their commanders accountable when they violate basic rules of cyber hygiene.
While he didn’t expound on how DoD would hold executives accountable, Halvorsen said the people inside the military know the consequences if they don’t meet the expectations of basic cybersecurity.
“In some cases we’ve applied Uniform Code of Military Justice (UCMJ) where that’s appropriate. We’ve applied written counseling when that was appropriate. We’ve taken the appropriate actions, given all the tools DoD has to take those appropriate actions,” he said.
DoD last released a cyber strategy back in July 2011 with a focus on defense and denying the benefits of an attack.
Since that initial thinking in the cyber strategy, DoD has undergone several major changes. First, it moves major operational efforts out of the U.S. Cyber Command and into a new organization, the Joint Force Headquarters-DoD Information Networks, which is headquartered at the Defense Information Systems Agency. Next, DoD is setting up three new branch offices, located in Europe, in the Pacific and in U.S. Central Command, designed to help defend systems in various geographic areas.
This latest strategy is less about creating a defensive or offensive approach, but helping protect DoD networks and data on the front end.
Halvorsen said DoD wants to automate more of its cybersecurity protections to not only stop attacks from happening, but move into the predictive sphere where the military can recognize patterns or network vulnerabilities before they become network holes.
“The first thing you have to do is you raise the playing level. When you get your cyber basics right and you have people doing the right things, frankly you eliminate all of the small end players. That is one of the things we have to do,” he said. “The other piece of that will be bringing on the autonomous tools so that what we are doing is doing that with an automated piece and not with an intensive manpower effort. Manpower costs money.”
Halvorsen said the end goal is to make it more expensive for the bad actors to cause DoD harm.
It will take 18 to 24 months for DoD to make real progress instituting that cyber discipline and eliminating many of the “canned” attacks that are attempted today against the Pentagon’s networks.
“This is a balance. It’s always a balance. It’s a balance across time, money and mission threat and it’s getting that right,” he said.