The Defense Department is spending tens of millions of dollars per year to clean up after cybersecurity breaches – about 80 percent of which are caused by defensive lapses like poor user behavior and failure to apply software patches. So Pentagon leaders say it’s time to ratchet up the pressure on senior leaders to comply with existing security policies and better train their personnel on cyber hygiene.
The DoD Cybersecurity Culture and Compliance Initiative (DC3I) – billed as an effort to “transform DoD cybersecurity culture” – will include a new regime of no-notice inspections, mandates for commanders to incorporate real-world cyber scenarios into all of their unit training and a yet-to-be-determined amount of spending to make military networks more defensible, based on the premise that every dollar spent on up-front security prevents $7 of costs in fixing a breach after the fact.
A memo signed end of September by Defense Secretary Ash Carter and then-Joint Chiefs Chairman Martin Dempsey gives U.S. Cyber Command and the DoD Chief Information Officer 120 days to complete a series of 11 tasks to lay the groundwork for the initiative, beginning with training for senior leaders and for users, with an emphasis on showing them real-world things that can go wrong when cyber policies aren’t heeded.
CYBERCOM and the CIO will build the overall program out of five “operational excellence principles” that borrow heavily from other warfighting disciplines, particularly the Navy’s nuclear force, the leaders wrote.
“In other DoD domains, reporting and accountability, constant assessment and learning are driven by engaged leaders who instill and reinforce the behaviors necessary for our wartime readiness culture to thrive at the individual level. We do not yet have that same culture for cybersecurity. DoD cyber capabilities, ubiquitous cyber-infused mission systems and cyber-enabled business and enterprise-wide network operations were delivered to DoD gradually and built up over time. Consequently, a definitive cybersecurity culture that addresses human performance and the vital role of the individual in our cyber readiness fabric was never instituted on par with the collective importance that information systems have assumed.”
Once CYBERCOM and the CIO have a foundational program in place to drive home the fact that cyber hygiene matters, the military branches, agency heads and combatant commanders will have 120 days to insert the DC3I principles into all of their training programs, including for new recruits, leadership development and professional development.
“Realistic cyber events must be infused into all aspects of operational training, from combatant command exercises to service-level tactical events,” the tasking document reads.” Until training and exercises thoroughly demonstrate the debilitating impacts of adversary cyberspace operations on a unit’s ability to project power, commanders and leaders cannot understand the potential for failure…cybersecurity must become as integral to operations as a tactical unit’s scheme of maneuver. Only in this manner will the culture of cybersecurity and employment be inculcated into the DoD and its warfighters.”
From there, the Pentagon wants to build a new inspection and compliance infrastructure to ensure the new training is having an impact. The Defense Information Systems agency and the new Joint Force Headquarters-DoD Information Networks will implement some scheduled inspections and some without notice. In many cases, they’ll expect any problems they find to be fixed on-the-spot, even if that means calling in outside help.
Commanders will also have to send periodic reports to CYBERCOM on all the training they’ve conducted over the previous quarter and detailing how their units are performing against DoD’s standards. Separately, they’ll need to report any specific cyber incidents within their commands, describe what they’re doing to prevent a similar issue from happening again and what they’ve done to hold their users accountable for any failures. The document also makes clear that commanders who attempt to whitewash any cyber intrusion their units have suffered will themselves be held accountable.
While most of the initiative is focused on the “people” part of cybersecurity, it also makes provisions for some technological upgrades. Within the next six months, CYBERCOM and the CIO will report back on “significant and growing materiel gaps” that are keeping DoD’s networks from being as secure as they should be and what the department must change about its network architectures. The tasking memo diagnoses the problem this way:
“There are inadequate capabilities, authorities and architectures to reliably monitor and remedy enterprise configuration and patch requirements….Due to the complexity of our hardware and software systems and the large number of vulnerabilities that are continually discovered, many providers have to manually scan and patch every single device for all newly-discovered vulnerabilities. This touch labor is expensive, time consuming and leaves a backlog of unmitigated vulnerabilities.”