Key Takeaways for Executives
- The military services have made significant strides in upgrading their cybersecurity systems and defending against cyberattacks, officials say.
- In particular, DOD is working to better train cybersecurity professionals and share cyber best practices across the services.
- However, several ongoing cybersecurity efforts need more work, and there needs to be additional progress in critical areas such as cloud security.
The military services have made progress in bolstering their cybersecurity systems and protecting against cyberattacks, but more work is needed, government and private sector cybersecurity officials agreed during a recent Federal Executive Forum webinar.
Donald Heckman, the Defense Department’s principal director for cybersecurity, said the Pentagon has focused extensively on “foundational work for cyber hygiene.” In particular, he said DOD has strived to build and maintain a highly trained cybersecurity workforce.
Brig. Gen. Jennifer Buckner, director of cyber for the Army, also emphasized the importance of developing a cybersecurity workforce that can effectively handle emerging threats. She said the Army has made “tremendous gains” in training cybersecurity personnel over the past four to five years, and it is now applying lessons learned “to bring cyber electronic warfare information operations to every echelon of the Army.”
This means, among other things, providing realistic training scenarios for up-and-coming cyberwarriors.
To that end, Buckner said the Army is working to accurately replicate various cyber environments so its forces train under the same conditions in which they will fight. It’s also finding unique ways to test the aptitude of those who want to work in cybersecurity.
“Our goal this year is that we don’t have special cyber rotations, but that every rotation is a cyber rotation,” she said.
Other Signs of Progress
In addition to improving the quality of its cybersecurity workforce, Buckner she has seen “unprecedented cooperation across DOD and the services” in sharing best practices for implementing new cybersecurity technologies.
John Davis, vice president and chief security officer for Palo Alto Networks Public Sector, said agencies are starting to use software-based advanced analytics like machine learning, automation and purpose-built packages of seamlessly integrated technical capabilities. This allows them to have consistent and continuous visibility across the enterprise environment and deliver automated protections, he said.
“We need to bring software to a software fight in order to change the balance between offense and defense,” Davis said.
Next Steps
Despite progress in shoring up cyber defenses, more effort is needed to secure government and private sector systems from ever-changing cyber threats, the panelists said.
For example, Heckman said DOD is developing advanced capabilities like “comply to connect,” which helps secure networked devices by applying patches and hardened configuration to those devices before they are connected and updating them continually. Heckman also said DOD is implementing advanced credentialed access management.
Davis said cloud-based systems are an “enormous priority” this year for his company’s public sector clients. He expects them to be in a “hybrid environment” for the foreseeable future, which entails shared responsibility for cybersecurity.
Cloud providers “are getting very good at securing their infrastructure, but the mission owners still have to secure their data and their applications,” he said. As a result, his firm focuses on helping mission owners secure what goes into and out of the cloud, as well as secure “workloads and containers in the cloud environment.”
Rear Adm. Danelle Barrett, cybersecurity division director for the Navy, cited his department’s “compile to combat in 24 hours” project, which aims to modernize the end-to-end architecture aboard ships to allow the Navy to deploy new software capabilities in under 24 hours.
This effort “addresses the fundamental challenges in an architecture that is legacy and hodge-podge, and relies on big, old applications that have a lot of cyber vulnerabilities,” he said. The “compile to combat” project emphasizes data standardization, shared infrastructure to “reduce attack surface,” smaller applications with less cyber risk, and commercial cloud best practices.
“We’re shedding some of the Navy-unique snowflake things that we thought we needed to do, but don’t,” he said.
Related: Top 10 Cyber Execs to Watch