The Defense Department is in the midst of an ambitious effort to redefine the work roles, job descriptions, qualification standards and training requirements of all of its information technology personnel.
The revision stems from the Pentagon’s view that there are too many seams between the parts of its workforce responsible for cybersecurity and those who keep its systems running each day.
Richard Hale, DoD’s deputy chief information officer for cybersecurity, said the objective of the relook at the IT workforce was to make clear that virtually every employee needs to be involved in the critical work of applying security patches and making sure all of its systems are properly configured. Not doing so represents, by far, the department’s single biggest vulnerability to cyber threats.
“This finally dawned on me when I visited a DoD data center and all of the people there knew every single thing about the technology and the customers they were supporting, so I asked them to tell me what they were doing in cybersecurity,” Hale told a cyber conference organized by Federal Computer Week on Feb. 17. “They said, ‘Oh, other people do that. We don’t actually know them. They put a box on our wire and they talk to us once in a while, but we don’t have any cybersecurity responsibility.’ And I said, ‘Oh dear.’”
The security people in question are DoD’s Computer Network Defense Service Providers (CNDSPs). There are 22 in all, and in theory, every computer in the department is supposed to be protected by one of them. DoD had already announced in its 2015 cyber strategy that it wanted to re-examine whether the CNDSPs were up to the task. But Hale suggested Wednesday that their role would become highly specialized, as opposed to bearing the entire day-to-day burden of ensuring the security of networks that they don’t actually manage.
“We’ve crafted our policies and responsibilities incorrectly,” he said. “Our notion of what the IT workforce ought to be still hasn’t adjusted to the fact that cyberspace is not a benign environment. Every single person in the IT workforce has to have a cybersecurity job, just like safety in the airplane business. But they have to know that they have that job and they have to know how to do it, so we need to take care of them and train them properly. We’re DoD, so this is a slow process, but we’ve already put policy out to start this process and create the new work role standards. We’ll still need some experts, but everybody has to play.”
Additionally, DoD’s review of the CNDSPs has found that there were some systems that none of the CNDSPs had been assigned to monitor and secure. Hale said the department was taking steps to remedy that.
The department also needs to better define the roles of the 68 cyber protection teams each of the military services have been building under the auspices of U.S. Cyber Command. Until now, their job has been to fly to DoD sites experiencing cyber emergencies and fend off attacks, but Hale said DoD wants them to have more of a day-to-day role in defending Defense networks.
“This year we have initiatives to better integrate the CNDSPs and the cyber protection teams so that we have an integrated approach,” he said. “By the end of the year, I think we’ll have a more solid notion about how to do that. We want the CPTs to be more focused on making sure particular mission threads are secure, end-to-end, and as we continue to redefine these IT work roles we’ll continue to define how these different groups relate.”