WASHINGTON, Oct. 17, 2017 — As part of National Cybersecurity Awareness Month, the Defense Department’s deputy chief information officer held a media roundtable at the Pentagon with her service counterparts yesterday to discuss key DoD and military initiatives.
Joining Essye Miller, who is also DoD’s chief information security officer, was Air Force Maj. Gen. Burke ‘Ed’ Wilson, deputy principal cyber advisor to Defense Secretary Jim Mattis, and senior military advisor for cyber in the office of the under secretary of defense for policy.
Miller’s service counterparts were Gary Wang, Army deputy CIO; Ken Bible, deputy CIO for the Marine Corps; Peter Kim, Air Force chief information security officer; and Theresa Lang, director of the Navy’s cybersecurity division.
Miller said that the Department of Homeland Security is responsible for orchestrating cybersecurity awareness month activities, and each week during October has a different theme: Simple Steps to Online Safety, Cyber Security in the Workplace is Everyone's Business, Today's Predictions for Tomorrow's Internet, The Internet Wants You to Consider A Career in Cybersecurity, and Protecting Critical Infrastructure From Cyber Threats.
“This is not just about the Defense Department and our mission,” she said, “this is about helping people understand that resilience in mission assurance is everybody's responsibility at home or in the workplace.”
Cybersecurity is not just an information technology area, Miller added.
“Everyone who's operating on the network — be it the DoD information network or the general internet — has a responsibility with regard to safety and cybersecurity awareness,” she said, noting that DoD has hosted external engagements in schools and technical forums and has had a booth at the Pentagon to make sure everyone in the building is educated about their cybersecurity responsibilities.
U.S. Cyber Command
U.S. Cyber Command is being elevated to a full combatant command and the work to make that happen is ongoing, Wilson said, describing the command’s elevation as an effort to backstop each service with regard to cybersecurity.
“It was laid out in the National Defense Authorization Act last year, and in concert with that we're in the process of standing up the command for two reasons,” he explained.
One is recognition that the command has matured and it will be key in the department’s cyber strategy and the way forward. The second is that Cybercom is a critical element in dealing with cyber threats that are growing in complexity, sophistication and proliferation.
Elevating Cybercom to a full combatant command is a signal to allies and adversaries alike, Wilson said, and the pacing item is nomination and confirmation of a commander, which is being worked through with the department’s senior leaders and the president’s office.
The Cyber Mission Force — a 6,200-person maneuver force broken up into 133 teams — reached initial operating capability a few months ago, and work continues toward achieving final operating capability by October 2018, as scheduled, he said, adding that the teams are already “engaged in this fight from a cybersecurity perspective.”
Wilson said the Cybercom team has just established a cyber excepted service, meaning that people with needed cyber skills are excepted from the federal government’s competitive hiring process.
“It streamlines the process in terms of how we can bring civilians into the department for our cyberspace operations and cyber security needs,” he said.
The focus now for Phase 1 is on Cybercom, the joint force headquarters, the DoD information network at Fort Meade, and a small element of the Pentagon CIO team.
“In 2018 we'll begin to go into Phase 1 and then ultimately Phase 3, which will be departmentwide in late 2018,” he said, adding that it’s a big step for the department.
“We see that as bolstering cybersecurity for the department and gives us a new tool to go about doing that,” Wilson added.
Army Deputy CIO Gary Wang said his service has named cybersecurity a readiness priority and are emphasizing educating people about designing cybersecurity into mission systems and weapon systems rather than trying to add it later.
For Cybersecurity Awareness Month, Wang said the Army is focused on training and making cybersecurity an operational priority, “ensuring that resources, support and training and policies are geared toward that.”
An external focus is helping ensure that small business or small business innovation research contractors are putting cybersecurity mechanisms in place, Wang added, and helping Army families and extended families integrate cybersecurity into their lives.
Navy Cybersecurity Division Director Theresa Lang said the Navy began taking cybersecurity very seriously in 2014, first standing up Task Force Cyber Awakening, and then spending a year to determine how to protect Navy systems and to reorganize to support cybersecurity in every domain.
"One of the things we did was stand up the Navy Cybersecurity Division, and later on we folded that into the Navy CIO organization,” Lang said, “so now we have cybersecurity and the CIO organization working together as a single group and it's made a huge difference.”
The Navy also expanded a focus on cybersecurity in traditional business systems to all control or industrial systems. To protect the the service’s key cyber terrain, she said, cyber officials established an office called CyberSafe — for cybersecurity safety — to ensure proper protections, risk management and investment in the right areas.
Lang said the Navy has established its own standards for cybersecurity across the service, and has set up a cybersecurity executive committee that hears cybersecurity framework briefings every six months by commanding officers from every domain.
Marine Corps Deputy CIO Ken Bible said his service’s cybersecurity priorities include protecting and defending data, users, systems and the reputation and image of the Corps.
In March, the service released its strategy for assured command and control, he said, which emphasized an integrated network for enhancing warfighting and statutory functions and command and control capabilities across the Marine Corps.
Bible said the focus was to transform the former Navy-Marine Corps internet into a unified network, modernize the civilian and military work force by upgrading old military occupational specialties for the information age, and invest in IT modernization.
This summer the service added a three-star deputy commandant for information, Marine Corps Lt. Gen. Daniel O'Donohue.
“We're in the midst of standing up that organization,” Bible said, and O’Donohue’s priority is getting the Marine Air-Ground Task Force Information Group operational as the Corps seeks to make information-related capabilities relevant in the fight.
Air Force Chief Information Security Officer Peter Kim said that in addition to the five Department of Homeland Security focus areas, another priority this year has been to extend its cybersecurity messaging into the field.
“We've made a conscious effort to have teams and myself go out to several Air Force bases,” he said, to help educate airmen and their families.
They began in August in Montgomery, Alabama, at the Air Force Information Technology and Cyberpower Conference, he said, adding that the team also visited locations in the continental United States and Hawaii and would continue the trips into November.
Kim said the Air Force developed pamphlets about cybersecurity hygiene, identity theft, password safety and other cybersecurity tips for spouses, children and even grandparents.
Such a need hit home with Kim last year when his father began receiving spear-phishing emails asking for passwords and account numbers.
“I found myself at work, worried about him,” Kim said, “and I realized that not only do our airmen have to be aware of these cybersecurity threats and simple hygiene, but [so do] my spouse at home and even my children … and my parents. If they're not cyber safe and cyber secure, it affects me and the workplace.”
This is one of the themes Air Force Secretary Heather Wilson and Air Force Chief of Staff David L. Goldfein are promoting, he said.
“We need to take of each other, not just the uniformed folks but extend that to the families of our airmen. That goes for cybersecurity also, so we're making a concerted push into those areas,” Kim added.