When it comes to enterprise risk management, federal chief information officers and chief information security officers have gotten the memo from President Donald Trump. But some cybersecurity officials within the upper echelons of the defense community worry that the rank-and-file may be too preoccupied with the nuts and bolts of compliance.
Since the president’s cybersecurity executive order in May, federal CIOs and CISOs have received several deadlines aimed at adopting an enterprise approach to cyber risk assessment and mitigation. But Trump’s recently confirmed Air Force secretary and the service’s CISO are looking to reduce the number of directives airmen must consider in carrying out the cybersecurity mission.
“We are crippling our millennial, innovative, bright young folks out there in the field, and a lot of them are being discouraged, and that’s the last thing I need in an Air Force,” said Peter Kim, the Air Force’s CISO, at an FCW cybersecurity summit on Wednesday. “I need a generation that feels motivated to solve our most complex problems in cybersecurity.”
The Defense Department has found major success with cyber initiatives like its “bug bounty” program, which has been emulated by the Army and Air Force and by the General Services Administration, the first civilian agency to do so. But, in order to really manage cyber risk, Kim said the Air Force needs to cut through the clutter of regulations.
“We’re trying to tell folks at the lowest level, you don’t have to comply with hundreds and hundreds and hundreds of things,” he said. “For cybersecurity, it’s become crippling. From my perspective, the [Risk Management] Framework is a good framework, it was well-intentioned. At the lowest levels, they’ve become crippled by every piece of control under the NIST cybersecurity framework, because they haven’t been told that they can think innovatively and on their own on which controls are the most effective for whatever problem they’re trying to solve … Compliance is necessary. You’ve got to do some of the basic things, but it’s OK if you can’t get to the 800 controls, but it’s OK if you miss a patch, it’s OK if you don’t have the server STIG- ed to the ultimate way that the Defense Information Systems Agency wants you to do. It’s good enough. Slap it on a network and let the warfighter conduct mission.”
Air Force Secretary Heather Wilson recently launched a two-year initiative to “review, reduce and clarify all Air Force directive publications,” in order to allow greater flexibility and mission focus.
“The Air Force has too many directive publications,” Wilson said in a memo. “They are often outdated and inconsistent, breeding cynicism when airmen feel they cannot possibly follow every written rule. They are sometimes too rigid, slowing adaptation and discouraging new ideas.”
For Kim, the issue of cybersecurity is more of a personnel challenge rather than a technical challenge.
“I tell people every day, my job as a CISO really is dealing with humans. The technical stuff, I leave it to the folks out there at the edge, but my day is trying to connect the dots among all the various folks that are trying to execute the campaign, educate on the treat of the day, whether it’s Wannacry or it ‘s something that CYBERCOM wants us to tackle or if it’s another cybersecurity scorecard,” he said.
Rather than have airmen follow “every directive under the sun,” Kim said most of the Air Force’s C-suite leadership is concerned with how cybersecurity ties into the ability to carry out the mission.
“We are going to have, in the future — we have now, and we’re going to have more — we’re going to have cyber defenders at the edge that can think for themselves, with some sophisticated, complex tools, and they’re going to be able to secure and defend the terrain, maneuver inside that IP space and cyberspace. And we’re going to tell them, that is your job, to ensure for the wing commander that the F-22 mission is secure in and through and from cyberspace,” Kim said.