The Cyber Edge Home Page

  • John Zangardi, acting DOD CIO, closes out AFCEA's Defensive Cyber Operations Symposium.
     John Zangardi, acting DOD CIO, closes out AFCEA's Defensive Cyber Operations Symposium.

Zangardi: Better Cybersecurity Needs Technology, Talent

The Cyber Edge
June 15, 2017
By Sandra Jontz
E-mail About the Author

The swiftly changing cyber domain demands a dynamic and dedicated partnership between the U.S. Defense Department and industry—a critical relationship for the development of both technologies and the work force needed to help the United States maintain a superior edge over adversaries, said John Zangardi, the department's acting chief information officer.

“The theme for this week’s symposium is absolutely on point for cybersecurity and IT: connect and protect,” Zangardi said. His keynote address wrapped up the three-day AFCEA International Defensive Cyber Operations Symposium (DCOS), which focused on the requirements that will propel Defense Information Systems Agency (DISA) and Joint Force Headquarters-Department of Defense Information Network (DODIN) missions.  

A foundation for a resilient cybersecurity posture is good cyber hygiene, Zangardi said, citing the recent WannaCry ransomware attack that crippled systems not protected by a Microsoft vulnerability patch as an example of the importance of good hygiene. “For those who were affected by WannaCry, cyber hygiene may have helped them,” he said. “We track cyber hygiene across the department through the DOD cybersecurity scorecard.” The scorecard tracks cyber compliance across 11 basic tenants.

“If an organization can’t measure [metrics], how does it know anything about its cyber readiness and vulnerabilities?” Zangardi asked. “This approach allowed us to make measurable, actual improvements to the department’s cybersecurity posture.”

But the scorecard is not without shortcomings, he added. The approach is static and relies on manual data entry and is somewhat limited in functionality. “My team is working on what we call cybersecurity scorecard 2.0, [with] an objective to create a threat-based or heat-based scorecard that is agile, dynamic and automatically updated.”

Another effort to boost security currently underway is the reduction of the department’s attack surface, he shared. “We are advancing our thinking on cybersecurity for tomorrow’s threat environment by proving cloud security.” DISA has issued guidance that military agencies can use to connect to commercial cloud providers via cloud access points, or CAPs. Though unpopular, he said, from a cyber perspective, the CAP approach serves an important purpose for Defense Department data in the cloud, especially for determining whether cloud services can accommodate data classified at the higher security levels. “Because most vendors have connections to the Internet, the department needs to make sure that DOD data at [classification] level four and above is hosted in a secure commercial environment.” 

Information technology innovation today, more often than not, comes from the private sector and not government, Zangardi said. “A common thread through everything we do in defense, and more so in cybersecurity, is industry partnership,” he said. “We can’t solve today’s complicated problems with yesterday’s thinking or technologies.”

A protected future means incorporating key technology enablers, such as machine learning, to “meet the threat at velocity,” he said. “But technology alone cannot solve our cybersecurity challenges.” The flip side of the development coin must included hiring and retaining the right talent to create the needed work force. The current cumbersome hiring process is too slow for the fast-paced cyber community and frustrates those hiring and those seeking employment alike, he said.

The Defense Department created the Cyber Excepted Service, an enterprisewide, Congressionally granted authority to speed up the hiring process for and better management of cyber professionals. It also leverages a market-based pay structure to deliver targeted and competitive compensation packages for civilian personnel, he said. 

“One of the ways the compensation package will be more competitive is by establishing targeted local market supplements based on a range of factors, like mission needs or work roles … and the flexibility to hone in on specific parts of at the cyber work force,” Zangardi shared. 

That said, he acknowledged that the government might not ever be able to compete with salaries paid by private businesses. “We just can’t,” he said. “The mission and patriotism need to be the prime motivators for coming [to work] here.” The hiring plan will focus on both near-term needs while also laying a strong foundation for development of the future work force, he added. 

The right employee development plan is a goal that ties in with the government’s responsibility to meet challenges that keep some children from learning the skills they will need to find work in a technology-based future. The government must cultivate students and demand adequate science, technology, engineering and mathematics (STEM) skills necessary to maintain the nation’s competitive edge, Zangardi said.

Future jobs will need well-rounded employment candidates. For years, the nation has done a good job focusing attention on students’ literacy skills, he said. For five decades, the effort Reading is Fundamental has been committed to a literate America—but what about building confidence in math?

“It’s about inspiring children, building a strong work ethic and developing a ... child’s perseverance,” he said. “Perseverance is the key to success in life.”

Departments: 

Share Your Thoughts: