Army Takes a Broad View of Cybersecurity
Different requirements vie with rapid acquisition.
The Army is approaching cybersecurity in “a systematic methodical way that takes into consideration that not all things have the same level of risk or threat involved,” states Maj. Gen. Garrett Yee, USA, military deputy to the Army Chief Information Officer(CIO)/G-6.
He cites as an example trying to secure a stand-alone device that is not connected to the network but has an information technology component, versus securing a device that is connected to the network. The stand-alone device offers a negligible risk, so efforts should focus on the connected device, he offers.
Gen. Yee emphasizes, “Cyber cuts across everything—it must be a priority.” The emergence of the Internet of Things, with all the devices it will add to networks, presents a unique challenge. The general suggests building cybersecurity into capabilities. Code built into a capability would be scanned incrementally during the process of development instead of at the end, when discovering a problem would hold up the works.
Another approach to be considered is avoidance. Planners must consider whether adding a device to the network introduces more of a capability or a vulnerability. If a nice-to-have Internet-enabled device that is not really needed is added to a platform such as a tank, it might be bringing additional risk unnecessarily, he notes.
Many experts believe that incorporating security throughout the development process could slow up acquisition. Gen. Yee suggests that the idea is to put products into the hands of soldiers sooner, even if not fully built out. A minimum viable product, or MVP, might be 75 percent of potential capability. Yet, this MVP would be functionally sufficient to put in users’ hands, the general offers. Soldiers would provide immediate feedback on how the product performs, which could lead to several potential outcomes: it might not work well, necessitating its removal; it might show the way to a final product; or it might illustrate a new way of use that would lead to a wholly new capability.
The general’s greatest fear is to miss an opportunity currently available to the Army, he admits. In particular, he worries that the service could be unaware of a capability today that could benefit the force five to 10 years in the future. Many small startups have new approaches that could meet Army needs or open the way to a new capability that would enhance the force, and these firms need to make their wares available to acquisition officials.
“I see the future of cyber continuing to evolve,” Gen. Yee states. “We’re getting better at it. As I look at where we’re at today and what we’re able to do, versus three or four years ago, we’re light years ahead of where we were then.”
Gen. Yee is cautiously optimistic about the future, believing that things will work out if the Army does its homework.