Incoming: The Benefits of Collective Cybersecurity Are too Compelling to Ignore
Second of a two-part series.
Few if any topics cause more stress across the Defense Department than cybersecurity. As I noted in my last column, department leaders have taken many steps to address the problem. While most of these steps are helpful, we still see a lot of emphasis placed on setting and enforcing cyber standards across the department and its broader ecosystem of stakeholders.
There certainly is a place for that approach, but by itself, it is insufficient. As I wrote last month, in a world in which we are all interconnected and only as strong as our weakest link, the “every-man-for-himself” approach does not, and cannot, work. We need a greater focus on building better collective defenses. Three approaches offer potential.
First, effective cyber solutions will take a collaborative, community approach involving government, academia and industry. Individual organizations each bring their own areas of expertise, insights, approaches, technologies and perspectives to bear on the problem of cybersecurity, but one alone cannot deliver a silver bullet solution.
Second, cybersecurity must be a foundational component of everything that the U.S. military community does. Anything that is connective—a weapon system, a computer network, a hospital, an application, a facility, an industrial control system or a smart appliance—must be designed with cybersecurity in mind.
Third, we need to find common solutions that effectively serve the broader defense community. It is simply impractical to expect each organization within the Defense Department’s extended stakeholder community to possess the resources, expertise and cybersecurity assurance programs that are needed to maintain effective cybersecurity postures. Budget constraints are real, as are the shortages of talent in this area. Moreover, the threat landscape is enormously complex and evolving too rapidly for even the most well-resourced organizations to keep pace with.
The snapshots of federal cyber readiness we see from the Government Accountability Office, inspectors’ general reports and newspaper headlines make it clear that far too many agencies and organizations are failing to attain acceptable levels of cybersecurity. We need better ideas that offer these organizations a viable path forward.
The good news is that a few promising and novel ideas are beginning to emerge.
This spring, for example, Undersecretary of Defense for Acquisition and Sustainment Ellen Lord said her office was exploring the idea of standing up secure enclaves for small companies to use as they develop software for military purposes. This would be a great option for many small companies that offer promising innovation to the Defense Department but view the Pentagon’s strict cybersecurity requirements as a cost-prohibitive barrier to doing business.
By offering government-furnished secure enclaves within a government cloud, the department can provide small businesses with cyber-hardened tools and environments with which to develop their software. And, by using those secure enclaves, those companies will automatically get an authority to operate for their software products.
Another promising idea starting to gain traction is managed cybersecurity services, which can help resource-constrained organizations beef up their cybersecurity postures in a highly cost-effective manner.
Managed cybersecurity services—in which my company, Accenture, and others are investing—enable smaller agencies and organizations that would otherwise have no viable organic cybersecurity capability because of budget constraints and talent scarcity to access state-of-the-art capabilities. These would include robust cyber management, detection and response (MDR) services to effectively address today’s and tomorrow’s cyber threats.
In this way, smaller organizations and agencies can focus their limited resources on core mission and business needs. This model of delivering cybersecurity services is new for government, but it is already proving itself in the commercial sector.
Whether the solution is a government-furnished secure cloud for small businesses, a managed cybersecurity service or something else, the benefits of a collective cyber defense approach are clear. They include improved security for all and a far more efficient use of cyber-dedicated resources.
Because of these compelling benefits, I expect we will see more and more attention focused on collective approaches like these.
For example, we are already seeing the Army, Navy and Air Force exploring options for enterprise IT as a service. These efforts will surely include important cybersecurity dimensions to them.
And as the armed services and other Defense Department organizations gain a stronger comfort level with as-a-service offerings, I expect they will inevitably begin looking at sourcing more of their cybersecurity in this way.
Lt. Gen. Susan Lawrence, USA (Ret.), is managing director for the Armed Forces Sector, Accenture Federal Services. She previously served as the CIO/G-6 for the U.S. Army as well as the commanding general for the Army’s Network Enterprise Technology Command (NETCOM).