John “Jack” W. Wilmer has been on the job for a year as deputy chief information officer for cybersecurity within the Defense Department. Cyber-safeguarding the U.S. military is a monumental task — and one he embraces. So far, he said, “it has been a tremendously rewarding experience.”
Wilmer talked with WashingtonExec recently about his goals and strategies, emerging cyber tools and his expectations for the contractor community.
Big picture: What’s your cyber strategy?
I look at our role first and foremost as supporting the DOD CIO Dana Deasy’s Digital Modernization Strategy. The first aspect is driving down DOD cyber risk, from weapons systems to traditional networks. The second key aspect is really making sure that our next-generation systems are cyber secure.
Any recent success stories?
Workforce is a great example of one where we’ve actually had some recent wins. We’re rewriting DOD directives and policies to emphasize cyber work roles, to try and identify the training standards that are going to be required, the skill sets that are really needed to do the job.
One of the most specific projects that we have right now is a tool that Congress gave us a few years back called the Cyber Excepted Service. This is a really exciting way that we are looking at approaching how we can better do the entire life cycle, from recruiting all the way up to retaining talent, so that training and retraining aspect is also included in there.
What technological approach helps you frame the cyber effort?
One of the things that we’re really looking hard at is zero trust architecture. We actually have a number of the tools and capabilities in the department already deployed that allow us to take steps in that direction — things like end-to-end encryption or encrypting everywhere. We have all of the tools we need to do that. Now, we’re trying to identify how we drive that into organizations, and then make sure that we can scale that up across the department.
You’re talking about making big systemic changes. How do you do that within a government bureaucracy?
In the federal government, there’s a ton of different pockets of excellence. One of the key challenges that we have at the senior level is: How do we stitch them together so that we can actually generate some forward momentum for the department?
The job that I had before this — in the White House Office of Science and Technology Policy — had a very similar challenge. I learned a lot through that process. Different agencies had really, really good constructive ideas. We looked at how you leverage that by creating centers of excellence, and then [expand]that expertise across the federal government.
How does that translate to DOD?
I look at, for example, the transition to [the emerging software development methodology]DevSecOps: How do we accredit software differently? How do we drive more agility into bringing capability to the war fighter faster? The Air Force has got a number of initiatives that are just really forward-leaning, and we’ve got the Defense Digital Service with another set of initiatives. I try to take some of those lessons learned — the initial pilot and prototype efforts — and really look at how we can inform overall broad policy changes.
What are you looking for in the contractor community, as you push those changes forward?
We oftentimes get great briefings: “Here’s an individual threat. I’ve got the tool that can solve that threat.” A lot of our emphasis is now starting to shift away from individual threats, to focus on how we can do this more efficiently.
A good number of the meetings that I end up having are with companies that say, “Hey, you’ve already bought my product but you’re only using a small percentage of what I can actually bring to the table. I can do so much more for the department.” What I want to start to look at is, how do we find the most efficient and effective use of our dollars, as opposed to specific point solutions that can help us to counter an individual threat.
Any specific technologies you are tracking in cyber?
Artificial intelligence as a departmental technology — interest is huge. Organizations are able to leverage artificial intelligence to more rapidly probe and identify weaknesses and networks on the offensive side. How do we on the defensive side make sure that we can leverage artificial intelligence to better identify threats in a more automated fashion?
And for the longer term?
For cybersecurity, the Zero Trust Architecture Principles. If you look at our C3 pillar — Command Control and Communications — 5G is probably the biggest thing there. Artificial intelligence is something that’s going to permeate across all of the domains that we have. And then the final pillar is cloud. It’s about agility and about being able to bring capability to the warfighter faster.
Overall, it’s really important to make sure that we’ve got the right building blocks in place to ensure that we are agile, so that as technology shifts, we’re able to more rapidly adopt those trends.
What’s this about for you, personally?
I’m big into problem solving. I like hard, sticky problems. When you look at where the department is now and what our adversaries, our strategic competitors, are capable of — it is a really fascinating space. There’s no real easy solution, so it’s something that just requires a concerted long-term effort. It’s an example of where you can be in a policy-type job, but at the same time find yourself neck deep in operational-related issues. It’s that combination of things that’s really fascinating to me.