The Navy’s top civilian cybersecurity advisor says he and his peers in the other military services are moving beyond some initial growing pains as they look to make an imprint on defense budgets and help shepherd the growth of the military’s Cyber Mission Force.
The Fiscal Year 2020 National Defense Authorization Act directed each of the military services to appoint an individual to serve as “the principal advisor to the relevant secretary on all cyber matters affecting that military service.”
The law requires the position to be “independent” of the services’ chief information officer and report directly to the service secretary. The positions are required to be filled by a senior member of the Senior Executive Service and can’t be considered lower than the equivalent of a three-star general officer.
Chris Cleary, principal cyber advisor for the Navy, said there were “a few bumps” in establishing the new positions over the past year.
“There were some challenges associated with getting the offices stood up,” Cleary said during a conference sponsored by SailPoint this week. “And each of the services responded a little bit different in the way that they in the way that they adopted or embraced the principal cyber advisors when their services.”
For Cleary, the challenge wasn’t getting to know the Navy — he’s a Naval Academy graduate and retired reserve officer who served as the service’s chief information security officer just prior to becoming the first principal cyber advisor.
But kick-starting a new organization at the direction of Congress is rarely a smooth operation within the Defense Department.
“I think that that’s probably a consistent story with any new organization starting up with in any environment,” Cleary said. “So it’s no different. And I think for the most part, we’re beyond that. And now we’re really getting into the functions of what it is we’re supposed to be doing.”
The FY-20 NDAA gave the advisers a broad scope to oversee cyber recruitment, training and retention; the acquisition of offensive and defensive cyber capabilities; cybersecurity management and operations; the security of the industrial base; and the security of information technology and weapon systems.
The advisers are also required to review the cyber budgets of their respective service and certify whether they’re adequate. The advisers then brief Congress on the results.
Terry Mitchell, principal cyber advisor for the Army, said advisors’ new budget certification authority is about “accountability to make sure the money we’re put into cyber is pushing us to the right.”
“It’s really an ability to push the services to look toward the future and say, ‘OK can I basically show the metrics of, if I give you a dollar, do you get a dollar worth of cyber?’” Mitchell said during an Oct. 28 event hosted by FCW.
DoD’s cyberspace activities budget has steadily grown in recent years to a projected $10.4 billion in the department’s fiscal year 2022 request.
But lawmakers have been frustrated by the lack of detail from the Pentagon on how much it spends on cyber and related capabilities. During a hearing in June, House Armed Services cybersecurity subcommittee Chairman Jim Langevin (D-RI) chided acting DoD Chief Information Officer John Sherman — who has since been nominated for the permanent CIO job — for submitting a sparse six-page summary of its $50 billion cyber and IT budget request.
“Without that level of detail, just to understand, we can’t fulfill our oversight responsibilities,” Langevin said. “We’re in the dark otherwise. And that’s unacceptable going forward.”
Beyond budgetary accountability, the advisors are also expected to help shape DoD’s evolving cyber forces.
“Because the workforce model means that cyber forces are recruited and trained by the services, and then handed to Cyber Command, the service PCAs play an important role in understanding and helping us mature the cyber workforce,” Deputy Assistant Secretary of Defense for Cyber Policy Mieke Eoyang said during an Oct. 20 breakfast hosted by George Washington University’s Project for Media and National Security.
DoD’s Cyber Mission Force is poised to grow in the near future. The CMF currently has 133 teams comprised of about 6,200 personnel. The Pentagon’s 2022 budget request is seeking funding for four additional Cyber Mission Force teams.
The Pentagon is also on the cusp of initiating a Cyber Posture Review next year. DoD’s inaugural Cyber Posture Review in 2018 led to its “Defend Forward” strategy, which posits that cyber forces should go on the offensive against U.S. adversaries “to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.”
As DoD’s cyber doctrine and personnel requirements evolve, Cleary said one of the keys for the cyber advisors is ensuring the services stay integrated in how they’re building their forces and capabilities. While the services often have vastly different missions and cultures, Clear compared cyber to electricity in its commonality across the departments.
“I think as we get more momentum underneath us, you’re going to see the office of the PCA in the Air Force and the Army look a lot like the office of the PCA within the Navy,” Cleary said. “We’re trying to make sure our functions stay aligned with each other. So whatever the Air Force decides to go do down the road doesn’t look completely different from the duties and responsibilities of the Navy or the Army.”