August 11, 2016
About a year after major breaches at the Office of Personnel Management forced all agencies to buckle down and address their critical vulnerabilities, Defense leaders say they’re beginning to see a noticeable culture change in how each service thinks about cybersecurity.
Roughly 98 percent of the Defense Department’s intrusions within the past year were due to simple mistakes from its employees, said Marianne Bailey, principal director and deputy chief information officer for cybersecurity at DoD.
That review forced DoD Chief Information Officer Terry Halvorsen to call on the services to go “back to the basics” of cybersecurity and create a Cybersecurity Implementation Discipline Plan. The plan includes a scorecard, which measures services’ progress on responding to 10 common cyber vulnerabilities and incidents.
In most cases, service leaders already had formal orders to address many of the items on the department’s top 10 cyber list.
“It’s not like anybody should have been surprised by it, but people weren’t doing it because they have so many things to do,” Bailey said at a NextGov cybersecurity panel discussion in Washington Aug. 11 . “And obviously it didn’t get prioritized high enough along with all the other mission things they had to do.”
In the past, many service commanders were stumped over questions about governance and accountability, Bailey said. They assumed their respective network administrators owned those cybersecurity problems, and there was little visibility at the top over how well their agencies were performing.
But Bailey said things are beginning to change.
“It’s been pretty incredible, because nobody — I don’t care how many stars you have on your shoulder — nobody likes a bad grade,” she said.
Halvorsen and his office hold weekly meetings with the service CIOs to review their performance on each of the 10 scorecard items.
“All their data rolls up,” Bailey said. “They have 10 scorecards for each service, and they have to sit in front of the DoD CIO and tell him why they have the numbers that they have. [For] example, every user logs in with a [public key infrastructure]. Why don’t you do that? What percentage is the Air Force? What percentage is the Navy? Everybody should be at 100 percent.”
DoD also has a measure to track services’ progress in moving away from Windows legacy systems and adopting Windows 10, Bailey added.
“Briefing that to the CIO once a week gets people’s attention,” she said. “I’ve watched the culture change, and that’s probably been the biggest part.”
Defense Secretary Ash Carter receives briefings on the scorecards once a month and invites service CIOs to his office to discuss the results.
“When the Secretary of Defense is caring about it, [when] Terry Halvorsen is caring about it, they really need to care about it,” Bailey said.
The issue of IT and cyber governance and accountability is one that the Office of Management and Budget has addressed in recent policy memos and updates.
Trevor Rudolph, chief of the OMB Cyber and National Security Unit, said he’s witnessed agency deputy secretaries take a more high-level interest in their organization’s cybersecurity activities throughout the year. Governmentwide programs like the cyber sprint, Cybersecurity Strategy Implementation Plan (CSIP) and now the Cybersecurity National Action Plan (CNAP) have all forced deputy secretaries to make those decisions, Rudolph said.
But the issues still need more attention, he said.