With the notion that the best cybersecurity starts with the best people, the Department of the Navy is asking its own workforce for ideas.
“We’re getting ready to kick off a contest now within the Navy for our uniformed personnel to say, ‘Give us some creative ideas on how we can get rid of Windows XP and [Windows] Server 2003 on our embedded platforms without bringing these ships into port to get it done and waiting for the next generation of capability,'” Janice Haith, deputy chief information officer for the Department of the Navy, said May 19 at ISC²’s CyberSecureGov conference in Washington. “We’re going to pay them a significant amount of money to do that.”
The Navy is partnering with Defense Innovation Unit Experimental (DIUx) for the contest that will likely launch around Memorial Day, Haith told Federal News Radio. DIUx, along with vendors in Silicon Valley, will judge the ideas and then will help the department get them off the ground.
The goal is to solicit ideas from the people who use these embedded platforms every day in the field, Haith said. It’s also a recognition that when it comes to cybersecurity, there isn’t always one piece of technology or one strategy that will help agencies secure their systems.
“You can’t say one size fits all and one solution fits all,” Haith said. “For the DoD environment, or just the federal government in general, we’re all looking at a compilation of strategies and solutions that help us mitigate these risks.”
The Navy is focusing on some of its legacy systems and embedded platforms, specifically its tactical capabilities deployed on the service’s 300 ships. Haith said the Navy is trying to figure out how it can mitigate cyber risks on those systems when their ships are not at the port.
“What do we need to do to bake in security to the beginning of the design of a new capability?” she said. “How are we going to be more agile to handle these things throughout the course of the lifecycle. Our average lifecycle is about 10-15 years on some things. … Money is getting tighter for us.”
A lack of resources is perhaps one of the biggest barriers agencies have in modernizing and securing their systems.
A new ISC² and KPMG survey of 54 federal managers and contractors with cybersecurity responsibilities in government found that 64 percent of respondents indicated a lack of funding as one of the top factors that prevents their agencies from making real progress on cyber initiatives.
And though many agencies admitted the administration’s 30-day cybersecurity sprint last summer was well-needed in the wake of multiple breaches at the Office of Personnel Management, many managers are pessimistic that the sprint achieved noticeable progress.
Roughly 52 percent of survey respondents said their agency’s response to the 30-day cybersecurity sprint has not improved cybersecurity.
When asked about one thing their agency has prioritized in direct reaction to the OPM cyber breaches, 35 percent of respondents said they’re putting a bigger emphasis on preventative measures, such as multi-factor authentication and monitoring. But 25 percent of respondents said no changes have been made, the survey said.
Dan Waddell, director of governmental affairs at ISC², said the administration’s directives, like the cyber sprint and the development of the Cybersecurity National Action Plan, have been useful to the military, which typically takes a “command-in-control” approach when it receives new orders and then responds with new practices and procedures.
Haith said the administration’s directives have pushed the Navy to think about its decision-making differently.
Defense Secretary Ash Carter last year mandated a cybersecurity scorecard, which measures the services’ compliance with standards. The scorecard also helped the Navy’s employees think about cybersecurity differently, Haith said.
“It has been an eye-opener for us on how bad we were doing in cyber hygiene, not just patching and things like that,” she said. “We couldn’t get control of our sub-nets within our network enterprise. We didn’t know how many sub-nets we had. We have the CAC card, as we call it, and we’d been using for it years, but we never enforced it. It’s time to enforce it. We’re enforcing it, and we couldn’t believe the screams we got.”
But civilian agencies just don’t see it that way, Waddell said.
Holding leaders and employees accountable for implementing new cyber standards and directives is another issue.
When the Navy suffered a cyber attack a few years ago, Haith said the service had a difficult time identifying a specific person or organization that would held accountable.
Troy Johnson, director of the Navy’s cybersecurity division, said his team is writing technical standards specific to the service and based on National Institute of Standards and Technology frameworks, which they will use to measure leaders’ performance.
“We want those standards to be easier to implement and hold commanders accountable,” he said during a recent conference sponsored by the 1105 Government Information Group.
The Navy is writing about 40 technical standards, with about half already done and in the middle of the implementation process.
“Each commander will apply the standards in a way that fits their own domains, and the question will be whether they are complying with the standard and how they are proving it,” Johnson said. “We don’t think there is a one-size fits all approach to how these standards are applied.”