In Army Cyber, Policy Meets Reality
What once was top-down governance in the G-6 is now more of a two-way street.
The U.S. Army is narrowing the gap between policy and operations as it confronts new threats in cyberspace. Field reports are having greater and faster influence on the issuance of directives, and intelligence is now a major player in determining cyber policy.
“Aligning cybersecurity directly with our operations to achieve readiness is the key to succeeding and moving forward,” says Carol Assi, division chief for cybersecurity policy and governance in the Army Chief Information Officer (CIO)/G-6 office. “And shrinking the gap between operation and policy, having continuous dialogue and working hand in hand, addressing issues in a collaborative environment, [are essential] to that. We no longer can afford to work in silos.”
Assi focuses on cybersecurity policies as well as governance. She also is in charge of some functional areas. In other areas where she is not in charge, she works closely with the respective functional leads to ensure that policies are updated and provided across the Army. Her office coordinates with major players in cybersecurity and cyber operations, along with the Defense Department. Departmentwide policies must be addressed in the Army concurrent with service activities.
As the CIO/G-6 office considers Army cyber needs, it is watching emerging threats closely, particularly those that menace technologies the Army is adopting, Assi says. She distinguishes between examining the effect of technology on the user and considering it in the larger scale of policy implications. “Is my policy up to date, and how quickly can I put it out?” Assi poses. If the basic policy cannot be updated rapidly, then her office issues memos to notify the field of any changes.
The rapid pace of emerging threats is the office’s biggest challenge, Assi offers. “It does not afford us the time to stop, think and plan,” she illustrates. As a result, the office must address these threats swiftly.
Another challenge involves priorities. The Army continues to upgrade its command, control, communications and computer (C4) systems through long-term planning, and these efforts must account for cybersecurity threats. This requires a culture change at all levels.
“We need to balance cybersecurity risk acceptance with mission requirements,” Assi declares. “We need to be able to work in a contested environment. To achieve that concept of balance, we need to understand both the mission needs and the risk … because at times we are not going to be able to stop or impede our mission.”
The space between policy and operational support is shrinking, Assi maintains, as her office tries to synchronize requirements and responses. The most important element of this convergence is feedback from the field. That, in turn, must be translated into policy. For example, a requirement not to use a particular device may be contradicted by operational experiences lauding its use. Her office will reconsider the policy by looking at how to reduce risk and provide guidance for the device’s use.
Sharing the mindset behind policy is important, Assi emphasizes. That enables field personnel to better express a policy’s shortcomings as well as possible adjustments.
She stresses that the CIO/G-6 has an overarching responsibility to influence the Army to include cyberspace in policies and requirements. A notable change is how cyber has elevated the timeliness and importance of addressing security capabilities from the onset of system development. “From planning to design to development up to maintenance—we’ve had that guidance in the back of our minds in the past,” Assi explains. “Today it is emphasized more, given the [operations] tempo, given the missions we conduct worldwide and given the connectivity. We are trying to influence and drive cybersecurity integration into C4.”
The Army’s C4 modernization plan is often viewed from a technology perspective, she elaborates. “Some of the technologies that we are deploying to modernize the network also provide us a lot of our cybersecurity capabilities,” Assi says. As an example, she cites the Joint Regional Security Stacks (JRSS). Conceived from a network and data standpoint, JRSS now is being leveraged to integrate cybersecurity. The Army also is upgrading to Windows 10, which has a lot of capabilities—and potential—that can be tapped for cybersecurity.
The C4 modernization will allow the network to be viewed from an end-to-end perspective as well, she continues. It will provide visibility into the network, including the tactical edge.
These changes are being driven by technology evolution, not just the increased importance of cyber, Assi states. Technology development has been influencing Army networks for years, but now the new factor is how to make innovative capabilities cyber-ready—capable of withstanding any attacks and continuing to conduct a mission in a contested environment.
The increasing influence of cyber on the Army’s C4 modernization plan is impelling greater flexibility, she continues. Cyber’s dynamic nature mandates that leaders understand that “change is a must, and change in a timely manner is a must,” Assi declares. “Our plans and our strategies have to reflect the ability for us to change.”
The establishment of the Army Cyber Center of Excellence at Fort Gordon, Georgia, has not changed the CIO/G-6’s policy making, she states. Her office continues to support the center as well as other related organizations throughout the Army. It coordinates its policy efforts with the center, and recently it has increased these efforts with regard to doctrine. The center will request feedback from her office on its documentation, Assi relates.
Cooperation and coordination with the center on cybersecurity is increasing, she adds. The CIO/G-6 liaison to the center has been the key to increasing that coordination, Assi allows.
Her CIO/G-6 office also works with the G-3/5/7 on critical infrastructure, she notes. She views her role as bringing cybersecurity policies and support into that environment. This includes the risk management framework and the way it is implemented from a policy and process perspective. Assi will be sitting on a G-3/5/7 board to provide feedback before a system connectivity decision is made.
Another major influence on Army C4 is the re-emergence of electronic warfare (EW). It is changing the face of cybersecurity, and Assi declares, “Cybersecurity is the foundation for EW.” She explains, “In any Army activity, including EW, you have to start from a strong cybersecurity posture. Cybersecurity policy and requirements give you that strong foundation or structure that you can leverage into other missions that you’re going to conduct under any functional area.”
Assi adds that her office is working to align with the recent presidential security directive at the Army level. It is coordinating these efforts with the Defense Department as it endeavors to avoid affecting the service’s mission. She allows that this may result in some adjustments to the Army’s policies and practices, although her office will try to minimize its effects on Army operations.