The Army Aligns Its Strategic Cyber Posture for the Future Fight
As with the U.S. industrial base, commercial market and defense sector, the cyber threats to U.S. Army networks are increasingly complex and persistent. The service’s chief information officer, Raj Iyer, along with its key communication and network leaders, are positioning the Army’s information technology infrastructure and strategically aligning its cyber posture to protect against future attacks.
Issued a year ago, the President’s Executive Order 14028, Improving the Nation's Cybersecurity, required federal agencies, including the Department of Defense, to enhance their cybersecurity and software supply chain integrity. This order has helped propel digital security, Iyer noted.
“Executive Order 14028 got us there,” Iyer said, speaking April 27 at AFCEA’s TechNet Cyber conference. “I think for the first time, with the White House order, that recognized there was a connection between moving to the cloud and cybersecurity. We've always thought of these as independent events but clearly if anybody is still debating whether the cloud is more secure, I think that debate is now over. That doesn't mean just moving to cloud makes you somehow automatically more secure. You still have to make sure that you build in the right cybersecurity controls even into a cloud environment, but when done right, the cloud is inherently a lot more secure and resilient than any of our on-premises computing.”
In addition to accelerating cloud migration efforts, the presidential mandate also addressed information technology (IT) and operational technology (OT) environments. And although the Army and the traditional CIO/G-6 community was already very practiced with the need to strengthen both, the Executive Order’s language is important, Iyer noted.
“What this community has not recognized in the past is how vulnerable the operational technology is,” he stated. “What the Executive Order made very clear is that they are both vulnerable. They are both part of the attack surface. And you are going to have to manage them both the same way because one vulnerability on IT or OT can indeed you know traverse across the network to something else. We must make sure that we are able to see across the entire attack surface area, whether that's our enterprise networks or tactical networks or cloud, operation technology, or weapon systems.”
Our Army Attack Surface Assessment was necessary given the threat environment, says Raj Iyer (r) @USArmy #CIO with @signalmag's George Seffers (l). We know we are moving into our future fight w/sophisticated adversaries who are very smart technically w/jamming & EW. #AFCEACyber pic.twitter.com/axr6CmExM9
— Kimberly Underwood (@Kunderwood_SGNL) April 27, 2022
Some of the challenges the Army is facing regarding cyber is discerning specific roles and responsibilities, the CIO said. About a year and a half ago, the service separated out the CIO job from the G-6’s duties, which were once combined under one leader. At the CIO helm since November, Iyer performed an assessment of Army cyber processes and found some areas to resolve.
“There were some challenges that we had to overcome,” he shared. “When it comes to looking at these threats, …. with CYBERCOM’s [U.S. Cyber Command’s] and the CIO’s authorities as it relates to Title 40 and Title 44, it is not so clear. And that's a concern. I nominate authorizing officials across the Army and at the end of the day when it comes to cybersecurity for the network, that's me. And yet the director authority for cyberspace operations that’s from CYBERCOM to ARCYBER [Army Cyber Command] and it needs to be reconciled with balancing cybersecurity risk with mission risks. That's an evolving framework, that's an evolving governance structure and we haven't yet fully matured into what that means for us.”
Another area that the CIO is working on involves commercial cloud and adapting to that kind of environment versus on-premises data centers. “The Army is relying on the commercial industry for our cloud service providers,” Iyer noted. “As part of this ecosystem, that’s what we have to work with now. And the way we work with industry is very different from us managing our own data centers. We have to acknowledge that and we have not fully matured into that.”
Moreover, the Army has 42 different networks, which are nonstandardized when it comes to the policies that are enforced and the various stakeholders. “We have to make sure that we have that unity of effort when it comes to cybersecurity,” the CIO mentioned. “Because if you cannot see across all of these networks, if ARCYBER cannot see across these all of these networks from a CSP [cloud service provider] perspective and overwatch [duties], then clearly, we have gaps in terms of our ability to address these vulnerabilities.”
Additionally, Iyer emphasized that companies or officials supporting Army-related Risk Management Framework (RMF) processes should now focus on achieving effective continuous monitoring levels. It is an important cultural shift, he said.
“We all hate the RMF process,” he stated. “Everybody knows it's bureaucratic, it takes too long but I think we are focused on the wrong things. We've worked quite a bit over the last few last few months to get us to RMF 2.0, and now the emphasis is on the continuous monitoring piece. Let's not focus so much on just getting that initial ATO [authority to operate]. That's a necessary thing, but it's not the end. And so, changing the culture to focus more on cyber, on continuous monitoring, especially when we have a dynamically changing threat environment.
“Our threats are not static. They are dynamic and our adversaries are getting more and more creative when it comes to attack vectors. In that environment a one-time ATO doesn't solve all our all our problems."