How DoD holds service leaders accountable to ‘back to basics’ cyber program

About a year after major breaches at the Office of Personnel Management forced all agencies to buckle down and address their critical vulnerabilities, Defense leaders say they’re beginning to see a noticeable culture change in how each service thinks about cybersecurity.

Roughly 98 percent of the Defense Department’s intrusions within the past year were due to simple mistakes from its employees, said Marianne Bailey, principal director and deputy chief information officer for cybersecurity at DoD.

That review forced DoD Chief Information Officer Terry Halvorsen to call on the services to go “back to the basics” of cybersecurity and create a Cybersecurity Implementation Discipline Plan. The plan includes a scorecard, which measures services’ progress on responding to 10 common cyber vulnerabilities and incidents.

In most cases, service leaders already had formal orders to address many of the items on the department’s top 10 cyber list.

Advertisement

“It’s not like anybody should have been surprised by it, but people weren’t doing it because they have so many things to do,” Bailey said at a NextGov cybersecurity panel discussion in Washington Aug. 11 . “And obviously it didn’t get prioritized high enough along with all the other mission things they had to do.”

In the past, many service commanders were stumped over questions about governance and accountability, Bailey said. They assumed their respective network administrators owned those cybersecurity problems, and there was little visibility at the top over how well their agencies were performing.

But Bailey said things are beginning to change.

“It’s been pretty incredible, because nobody — I don’t care how many stars you have on your shoulder — nobody likes a bad grade,” she said.

Halvorsen and his office hold weekly meetings with the service CIOs to review their performance on each of the 10 scorecard items.

“All their data rolls up,” Bailey said. “They have 10 scorecards for each service, and they have to sit in front of the DoD CIO and tell him why they have the numbers that they have. [For] example, every user logs in with a [public key infrastructure]. Why don’t you do that? What percentage is the Air Force? What percentage is the Navy? Everybody should be at 100 percent.”

DoD also has a measure to track services’ progress in moving away from Windows legacy systems and adopting Windows 10, Bailey added.

Chat with Alastair Thomson, CIO of NIH’s National Heart, Lung, and Blood Institute, Aug. 16 at 11 a.m. Sign up here.

“Briefing that to the CIO once a week gets people’s attention,” she said. “I’ve watched the culture change, and that’s probably been the biggest part.”

Defense Secretary Ash Carter receives briefings on the scorecards once a month and invites service CIOs to his office to discuss the results.

“When the Secretary of Defense is caring about it, [when] Terry Halvorsen is caring about it, they really need to care about it,” Bailey said.

The issue of IT and cyber governance and accountability is one that the Office of Management and Budget has addressed in recent policy memos and updates.

Trevor Rudolph, chief of the OMB Cyber and National Security Unit, said he’s witnessed agency deputy secretaries take a more high-level interest in their organization’s cybersecurity activities throughout the year. Governmentwide programs like the cyber sprint, Cybersecurity Strategy Implementation Plan (CSIP) and now the Cybersecurity National Action Plan (CNAP) have all forced deputy secretaries to make those decisions, Rudolph said.

But the issues still need more attention, he said.

“Each one of those agencies is making their own independent risk decisions right at the headquarters level,” Rudolph said. “And then down at the bureau level, they’re making their own independent risk decisions. And no one really has the enterprisewide view in mind, with the exception of the folks who sit at the center of government. And even the folks who sit at the center of government don’t have the authority really, if you look at FISMA, to say no, you actually can’t make that risk decision. That’s a big problem that we need to think about as a community as we move into the next administration.”

OMB’s long-awaited release of Circular A-130 addressed some aspects of the challenge Rudolph described. The new policy update requires that agencies implement a risk management framework to guide their work on categorizing and securing their IT systems.

DoD, like many agencies, said the OPM cyber breaches also forced the department to look more closely at and question data sets that it wouldn’t have otherwise: who holds the information, how is it protected, what products and services is the department using?

“One of the things that we learned from it — especially at the senior leadership level and from everybody’s level — is that there are systems and data that we didn’t pay enough attention to that we probably wouldn’t have considered mission critical data, that impacted us so broadly,” Bailey said.

Bailey said DoD is also beginning to change its broader tactics around security. The department’s initial focus centered on perimeter protection. But with 1.7 million end user devices, DoD realized it needed to focus on securing the mobile space.

“We’re finding that our end points are the places where we really want to focus our environment, because that’s where our biggest threat is,” she said.