The Defense Department has no shortage of regulations designed to encourage and enforce good cybersecurity behavior on its own networks. But DoD’s chief information officer said as of now, there are too few consequences for users who run afoul of those rules. That’s about to change.
DoD CIO Terry Halvorsen noted that military culture is accustomed to disciplining members who violate even the simplest of rules, but said the Pentagon has not yet found its way to apply that type of rigor to users who, for example, plug their personal devices into a government computer’s USB port.
He said the Pentagon intends to implement measures that will hold both users and their commanders accountable when they violate basic rules of cyber hygiene.
“What happens if you negligently discharge a firearm? Do you get a little piece of paper that says, ‘Please don’t do that again?’ We treat that pretty seriously,” he said. “And I would argue that the weapon represented by the network is far more dangerous, far more powerful and can cause us far more damage than a single stray shot from an M-16. We have got to raise our accountability level.”
Halvorsen outlined his views on accountability during an address to an AFCEA conference on cyber defense, saying DoD needed to increase its overall focus on “basic” defensive measures.
He did not specify precisely what the new accountability measures could entail, but said they would be implemented by also making commanders responsible for the cyber behavior of the users under their charge.
“We — including me — have not put enough of this out into the command channels,” he said. “We have not done enough to educate the command chain about what they should be expecting, what’s normal behavior and what they’re responsible for. You’re going to see us doing a lot of that. We’re going to let all of our individuals know that, ‘Hey, we’re actually really serious about this,’ but also the entire command. Senior enlisted leaders and civilians absolutely have to be involved in that too. We have not done a good job of putting that whole leadership team together. And frankly, I don’t see a lot of that in industry either. This is a national problem.”
Halvorsen said uniformed servicemembers and civilians should also expect to see changes in how they are trained and tested on basic cyber safety measures.
The current methods, he said, mostly involve mandatory once-per-year online test modules that he asserted do not make much sense if their aim is to inform users about what and what not to do when accessing the Internet through government networks.
So he said the rest of the department will begin adopting ongoing evaluation and education processes first piloted last year at the Defense Information Systems Agency.
“Doing this in a one-hour shot where your goal is to get to the answer sheet as quickly as possible so that you can get a certificate and don’t have to worry about it again until next year is not exactly the best learning environment,” Halvorsen said. “We’re going to do some continual testing. You may be just sitting at your computer one day, and you’ll get a question. If you answer it right and keep answering them right, we like that. But if you answer two or three questions wrong in a row, we have do more than just sending a note — we probably need to have an intervention of some kind. We’re going to do something specific, because that’s how people learn.”
But Halvorsen also made clear that many of the cybersecurity “basics” his department needs to address have more to do with the ways in which DoD’s IT systems are designed and organized than the behavior of users.
For instance, even though DoD uses PKI credentials on common access cards (CAC) as a two-factor authentication mechanism for many purposes and has been doing so for years, myriad systems still rely on easily-hacked usernames and passwords for authentication.
“We have to kill passwords. We just have to kill ‘em,” Halvorsen said to applause. “But the CAC card isn’t going to work for everything or everybody. Industry has to be doing the same things we’re doing, or this whole ecosystem doesn’t work. Two- factor authentication is something we can all get to and it’s something I hope we can all agree on. It’s another national problem. There’s lots of technology out there and I don’t know what the answer is yet, but passwords aren’t the answer. They’re just too easy.”
Halvorsen did not propose any specific timelines for eradicating passwords, but like other DoD officials, he said the department is serious about doing so.
He said once DoD settles on alternative authentication strategies, government system owners who want to continue using usernames and passwords as their sole user verification methods will face an extremely high level of scrutiny.
“There are going to be some people who tell us, ‘We can’t get there.’ We’re going to say, ‘No problem, but you can’t stay here,'” he said. “For too long, we’ve been too easy with our waivers.”
Halvorsen said the department has adjusted its waiver process with respect to user authentication so that any systems which still rely on usernames and passwords must be approved by the leaders of both the DoD CIO office and U.S. Cyber Command.
“We’ve already warned the [Secretary of Defense] and deputy secretary of Defense that the new waiver process is going to cause some screams. Their response has been, ‘We’ll buy better earplugs.’ So this is coming. We have to do this,” he said.