The 'Secret Weapon' to Securing Cyber Could be Just Getting Along, Says DOD CIO

The key to cybersecurity woes might be found in the relationships created between government and industry, the Defense Department’s chief information officer said. 

Partnerships might be the "secret weapon to success," particularly in the IT world, Terry Halvorsen offered during his keynote address on day two of the NITEC 2016 cyber conference in Tallinn, Estonia, presented by the NCI Agency and AFCEA Europe and organized in cooperation with the Estonian Ministry of Defense.

Tossing a challenge to the audience of mostly industry representatives, Halvorsen offered that strong partnerships can begin with banning one word that has become a defense staple: interoperability.

“The technical definition of that is that I have cobbled together enough crap to kind of make it work,” said Halvorsen, delivering a spirited presentation laced with quips and jokes. “That is not what we want. It really does need to be completely connectable [and] integrated from the start.

“It really needs to be plug-and-play. Not plug and figure out how to connect nine more connectors, 12 more integrators and then we play.”

Industry now leads innovation and bringing needed tools to governments, Halvorsen said. But collaboration must be a two-way learning street, with government officials needing to know a lot more about what drives industry and what causes its ups and downs, he said.

The Defense Department has a $36 billion budget for information technology and cyber-related issues. “That sounds like a lot of money, and it is, but not a lot of revenue worldwide that’s generated out of cyber,” Halvorsen said.

Not when considering that cyber revenues this year will hit the $1 trillion mark, he said. “While we’re a major influencer, we’re no longer the single driver, and that’s true for all governments.”

In Europe, NATO has begun building a roster of trusted industry partners—with governments proposing to NATO companies with whom they’ve done business—in an effort to expedite the contracting process, said Ambassador Sorin Ducaru, assistant secretary general for emerging security challenges at NATO.

Government and the private sector share the same risks in cyberspace, which generated a natural union called the NATO Industry Cyber Partnership, endorsed at the Wales Summit in 2014 and launched a year later. 

In the United States, the DOD launched the Defense Innovation Unit Experimental, or DIUx, created to build better connections with technology companies and innovators that historically resisted working with the government. While DIUx’s primarily is focused on Silicon Valley-based companies, collaborations extend throughout the United States and beyond, Halvorsen offered.  

Leaders hope the experiment will result in altering the acquisition processes, Halvorsen shared. “It’s one of the things we’re going to have to change. We still buy our IT and cyber much like we buy ships and planes. That’s not going to work. I would argue we can’t buy ships and planes that way anymore because they are also cyber assets.”

Industry has to do some schooling as well, Halvorsen contended. “You’re actually not very good at talking to defense,” he said. “While I hear, ‘Hey, we want to break the speed and go faster,’ you want to go faster unless you didn’t get the contract. Then you don’t want to go so fast.”

For example, the number of protests filed by unsuccessful contract bidders has increased of late. “That doesn’t make a lot of sense to me, particularly … when we’re trying to do what you’ve asked us to do,” he said. “We have to resolve that. Speed has to be a two-way game.”

Another goal is improving two-way dialogue about requirements. Halvorsen shared with the audience a technical term he uses to describe the current process: “It sucks.” 

He echoed the sentiment shared a day earlier by Adm. Michael Rogers, USN, commander of U.S. Cyber Command and director of the National Security Agency, who stated the government must stop dictating to industry its requirements, and instead showcase the issues and trust industry to devise the solutions. 

Government has to break the practice, and industry has to help, Halvorsen said. “In the United States, we have a certification and accreditation process that is the envy of the model of the world. It is so perfect, that it takes about 15 to 18 months to get through the simple steps,” he said sarcastically. “We’ve got to break that.” 

Industry, in turn, must be more transparent in showcasing every detail of their products: If he can’t see the software code, the supply line, he’s not buying, he said.

Experts spend a lot of time talking about big-picture cyber defenses while overlooking some of the cyber basics. “We don’t have cyber basics done in the [United States.] We’re making progress. This really needs to be a national discussion.”

The whole population must be educated about cyber hygiene and doing “the easy things” to prevent the greatest number of attacks.

“Every attack that has been successful in the [United States] has either been a direct result of failure to do cyber basics or has been enhanced by our lack of cyber basics,” Halvorsen offered

The good guys are on the wrong side of cyber economics. All it takes is someone who made a small investment in a computer and has a decent Internet connection—a few thousand dollars invested in an attack that costs companies and agencies millions to rectify. 

“You can knock out all of the little players with cyber basics,” Halvorsen shared.