Each of the three military departments would be given the discretion to appoint a new senior, Senate-confirmed official to handle information technology issues under a legislative proposal the Pentagon is preparing to send to Capitol Hill.
The Army, Navy and Air Force have all signed onto the proposal, but its chief proponent is the Department of the Navy. It is the successor to Navy officials’ earlier attempt to internally restructure their bureaucracy and designate a new Assistant Secretary of the Navy for Information Management.
The legislative proposal differs from the previous effort in that it would let each of the military departments add a fifth assistant secretary without doing away with any of the others. But the basic idea is the same: the Navy believes it needs an IT and data management official who is both at the most senior levels of its organizational chart and who is focused on those issues full time.
Although the Army and Air Force are still deciding how they would use the authority, the Navy would use it to appoint the new ASN for information management almost immediately if Congress permits it in its upcoming deliberations over the 2020 defense authorization bill, Navy Undersecretary Thomas Modly told reporters Tuesday.
He said he and Navy Secretary Richard Spencer have concluded the step is imperative largely because of an onslaught of cyber attacks against military networks by foreign adversaries.
“It’s relentless from the Chinese and the Russians and the Iranians and people that we can’t identify,” he said. “So we’re going to have to start getting a lot more creative about how we make it more painful for them to do that, but we also have to clean up our own act.”
Spencer and Modly have previously described the new assistant secretary as something of a supercharged chief information officer, with broad authorities over the Navy and Marine Corps’ networks and cybersecurity practices, but also incorporating the functions of a chief data officer.
But the prospective position’s exact duties are still undefined.
To flesh them out, the Navy established a tiger team for information management, and assigned Ron Moultrie, a former senior National Security Agency official to lead it. The team’s initial results are expected by June 1, and it expects to have final recommendations ready to present by June 30, Modly said.
“That will give us something to go to the Congress and say, ‘Hey, this is what the structure is going to look like,’” he said. “But the secretary has been very clear that this needs to be a net-zero in terms of personnel, so it will largely be moving billets and funding around to help fund this thing. But I can’t tell you much more than that yet because I’m sort of letting Mr. Moultrie do his thing.”
Moultrie was also one of the four members of a Navy Cybersecurity Readiness Review Team that released a damning report on the state of the service’s cybersecurity in March. Its report concluded the Navy faced an “existential threat” because of its failure to properly secure its IT enterprise.
Among the issues the report pointed to was the Navy’s disjointed and multi-layered governance structure for IT and cyber matters.
“A key observation of the review is that the authority, responsibility, and decision-making power for information risk management has been confused by its distribution within the DON, resulting in fragmented, or uncertain response to the expanding threat,” the authors wrote. “Also, many of the policy and funding decisions do not reflect the current risk profile.”
The review’s findings were one major factor that convinced Spencer that the Department of the Navy needed to not just move its CIO authorities to the highest levels — as it did when Modly assumed the title of DON CIO — but also make the position one that could focus on IT and cyber issues full-time.
Modly, who wears several other hats, including that of the DON Chief Management Officer, said the new assistant secretary would probably also need to have a voice in matters that currently fall within the CMO’s purview, including business systems.
“There’s a new business operations management council that I chair as the CMO for the department, and there will be roles within that council for the ASN for information management, but everything is still going to come up to me for approval,” he said. “So we’ll figure out ways to sort of bifurcate which decisions that person will be allowed to make, but the CMO will make others. And that’s just a matter of evolving authorities and governance.”
Spencer first announced the plan to set up the assistant secretary role at a conference in January.
Modly elaborated at another event several weeks later, saying the Navy believed it could establish the position under its own authority by eliminating its assistant secretary for installations, energy and environment (EI&E) — the sole discretionary assistant secretary position that exists under current federal statute — and using that slot for the information management job instead.
But Sen. James Inhofe (R-Okla.), the chairman of the Senate Armed Services Committee publicly chastised Spencer at a March hearing for having announced the plan without adequately consulting with Congress.
His objections had to do with ongoing revelations about substandard living conditions in privatized on-base hosing, an issue that falls within the EI&E portfolio, and one that he and other members of Congress believe requires ongoing attention by a Senate-confirmed official.
“Congress said, ‘Hey, look, why don’t you take a break on this, but we’ll consider giving you a new, assistant secretary for this.’ And so that’s the path we’re going down,” Modly said.