Defense cybersecurity leaders say partnership, consistency needed to uphold executive order
The Defense Department is not lacking when it comes to vocabulary around cybersecurity. But cyber leaders, especially from the Army, would like to see more shared use of that vocabulary and cross-domain implementation.
Maj. Gen. Matthew Easley, director, cybersecurity and chief information security officer, and the Army’s chief information officer, said it is key for cybersecurity professionals use the five functions of “identify, protect, detect, respond and recover,” as they communicate with each other, stakeholders, executives and industry.
“One of my personal opinions is we have enough frameworks: We have the risk management framework, we have the cybersecurity framework, we have the zero trust framework that I will get into later in the talk,” he said during a hybrid event hosted by FCW last week.
He said in his building, at least, they don’t talk about the cybersecurity framework enough and it takes executive-level decision-making to prepare an organization’s enterprise for it.
The president’s May executive order on cybersecurity was a turning point in the way agencies evaluate their posture, and Easley said that as far as DoD is concerned, the EO’s primary tasks were to continue cloud migration and implement a zero trust architecture. The Army’s cloud plan in particular, what is being called cArmy. Easley said that consistency and repeatable deployments to the cloud is critical for cybersecurity because without cArmy, mission owners would have to provide services on their own. That would mean each cloud instance could be built and secured differently, thus making prevention and detection more difficult.
He said the majority of the Army’s workforce being in non-traditional places, the office’s local area network isn’t as it was before — hence the need for zero trust. On a home network, all connected peripherals and Internet of Things devices sit next to a machine processing propriety business information in an environment with different physical security controls from what are in the office.
“Even your data center [is] probably now a hybrid mix with some processes executing on-prem and some off the security solutions that prevent incidents from my identity credential access management to the data analytics monitoring both the processes and security of the process, or mix of your legacy systems and cloud based solutions,” he said.
Both Easley, and Sudha Vyas, chief cybersecurity architect in the DoD’s Office of the Chief Information Officer, said that enforcing zero trust would require a partnership across domains. As Vyas put it, “the beauty about DoD is the scope and complexity. And the reason why I say the beauty is because that just provides a slew of different use cases and opportunities, where we can find where we can actually pull in evolved.”
Within the portfolio management office, it is important to find key metrics that depict how the department is moving or implementing those key zero trust capabilities, for example, minimizing the use of virtual private networks, she said.
The authorities within DoD to get after zero trust already exist, but the issue is putting them in the right place at the right time, according to Terry Mitchell, principal cyber advisor (PCA), Office of the Under Secretary of the Army.
In position as a PCA, he has to assess areas of training, talent management, acquisition, cyber management operations and the adequacy of the cyber budget for the service. He said that after talking with the congressional staffers who created the legislation which enshrined the PCA role into law.
“When I met with the staffers and you kind of asked… why they created the PCA, it’s really an ability to kind of push the services to look toward the future and show how much cybersecurity DoD is getting for their money.” Mitchell said.
He said the partnership description came up when talking to Sens. Mike Rounds (R-S.D.) and Joe Manchin (D-W.Va.) on the Senate Armed Services Committee.
“Their point is – they believe the PCA is a partnership. [It] isn’t just within our services, but it is within DoD, within the other federal players and industry. And so they expect us to go out and sit with vendors and say, ‘what are the best practices?’” Mitchell said. “So we can bring those requirements to the table, work with [the Office of the Secretary of Defense] to make sure that that dollar is actually getting us to where we need to go. But it is a true partnership, and I think I’ve heard this word like five or 10 times this morning, but we can’t do this by ourselves – the threat’s too big and is too persistent.”