A Banner Year for Cyber Implementation
Pentagon officials are wasting no time implementing cyber strategy.
Last year the U.S. Defense Department released a cyber strategy and followed that with posture review that identified more than 90 gaps in cybersecurity capabilities, many of which were determined to be critical shortcomings. This year, officials expect to begin implementing the strategy, beginning with several priority areas involving endpoint management, network visibility, user authentication and cyber force development, according to Brig. Gen. Dennis Crall, USMC, deputy principal cyber advisor, Office of the Secretary of Defense.
Gen. Crall made the comments during a keynote presentation at the National Security Technology Forum and Exposition, a joint effort between the University of California San Diego and AFCEA, and during a brief interview with SIGNAL Magazine following the address.
The general told SIGNAL the department is taking specific steps to implement the strategy but isn’t able to discuss those steps. “We’re talking about, for example, lines of effort that we’re prosecuting as part of our strategy. Every one of those has detailed objectives and tasks,” he said. “Some of those we wouldn’t speak publicly on because the assembly of those is classified, but they all fit within that outcome-based top look that the department is driving toward.”
He indicated the first priority is endpoint management, which essentially requires endpoint devices adhere to certain criteria before being allowed to connect to the network. “We’re taking a look at how we define it, technologies like comply-to-connect or perimeter defense,” Gen. Crall said. “One of the areas for this year is the ability to detect all end points on NIPR, SIPR and for the first time, satellite, our satellite programs.” NIPR and SIPR refer to the Nonclassified Internet Protocol Router Network and the Secret Internet Protocol Router Network, commonly known as NIPRNET and SIPRNET.
He also emphasized a need for network situational awareness. “We’ve got to make sure I know what’s on the network, and not just on the operating system level but the mobile devices we have, and at the tactical edge," the general said. "We’ve got to make sure that not only can I see or detect what I have; I need to have the ability to make a decision, to qualify the interchange I have with all of these devices and the new ones that are coming. I’ve got to decide whether to let them join the networks that we’re dependent on. I’ve got to decide, if they’re out of scope, to patch them or to put them into compliance or to quarantine them.”
User authentication is another near-term priority, and the department is prepared to move beyond passwords, security questions and access cards. “We also have to make sure in the aspect of identity credential and access management, that I know you’re you," Gen Crall said. "Now we’re starting to get into things like line identification, so I can determine in math the signature that you have: the way you hold your phone, the way you walk with it, your gate, your meter, your speech, your tempo, your timing, all of these are available to us. We’ve got to make sure you’re you.”
Workforce development also is a top priority. The military already is taking some steps. Recruits with cyber expertise can enlist as commissioned officers, for example, and a program known as Cyber Accepted Service allows the military to offer incentives to personnel with cyber experience. Gen. Crall lamented that the department has not yet taken full advantage of internships. He suggested the intelligence community uses internships much more effectively, in some cases recruiting employees straight out of high school and nurturing them along.
The general also pointed that the time-consuming clearance process also is a hindrance, calling it “the number one killer” for the department. “We bring people on and they’re all excited until they’re here six months and no longer excited because they can’t work on a project. If they went out to industry, they might work on a project in days, but for us it’s months, and it’s a job killer. We have a reform package in place to address that,” he noted.
He explained that the department’s strategies on cybersecurity, cloud computing and artificial intelligence (AI), which have been released one after another in recent months, are closely linked. “They have to be done together. They all have interdependencies. I can’t have breakthroughs in [development security operations], and not have a cloud to put it in. If I have in my AI repository, my algorithmic function ready to execute, but I have no way to pull data into a cloud for analysis, I don’t have AI. We’ve asked for funding and the engineering support for that in that fashion,” he said.
Despite a flurry of recent accomplishments and a bold strategy implementation agenda, the general does see some potential hang-ups. “The big challenge we have is that we have muscle memory and muscle memory doesn’t always favor the kind of outcome pace that I’ve described. My biggest challenge is taking really well-intentioned, great people and getting them to realize we’re no longer running at that pace any more,” Gen. Crall said.
Still, he signals the department will make significant progress this year. “Maybe the banner of last year for our department was strategy, posture review and process. This year’s banner is implementation and outcome,” he concluded.