Good morning everybody, good afternoon, wherever you are. I appreciate the opportunity to talk to you. I guess, this is the traditional COVID way of providing an address at these events. I don’t know about you, but I look forward to the time when we can engage directly together, but in the meantime, it’s great to be able to come here and give everyone a perspective of the Department of Navy CIO.
My name is Aaron Weis and I am the Department of Navy Chief Information Officer and I want to spend a few minutes today talking a bit about how life has changed here over the past nine months, and to put that in context of what we are trying to do across the Navy and Marine Corps.
Twenty-twenty has been an interesting year. We started out this year by releasing the Information Superiority Vision in January. The intent of the ISV is that it is an overarching vision meant to provide direction and guidance for the department as we move forward in the information technology, information management space. That vision laid out three key LOEs, lines of effort. Succinctly, it calls for a modernization of our infrastructures, calling out another LOE that we call innovation, where we could build competitive advantage leveraging that modernizing infrastructure, and calling out another LOE, that we call defend. That means defending information wherever it is – at rest, in transit, or in the supply chain.
Very early on, the pandemic caused us to pressurize and shift our priorities and it is highlighted now more than ever the need for that first LOE which is modernization. That has become now the thrust of 2020 as we head into 2021.
There are several things that have happened alongside of that—the emergence of mass telework. I can tell you from a Department of Navy perspective, pre-pandemic, we would have between 10,000 to 12,000 people teleworking every day. Today is no exception, we typically support 200,000 teleworkers on any given day.
We have done that by vastly expanding our telework infrastructure. We have more than quadrupled the amount of VPN capacity, we’ve quadrupled the bandwidth into the DoDIN end, as well as deployed collaboration tools. Like the tool I am using today to record this message, Microsoft Teams. That’s been done under the banner of the DoD CIO’s CVR, or commercial virtual remote, that’s brought desktop collaboration, interaction and file sharing to hundreds of thousands, in fact, to more than 1 million people across the Department of Defense using this tool.
Along with that, it has brought a focus on other things that were on our radar and has caused them to move much closer to us and I would put in line with that zero trust and this entire argument that we need to move toward a zero-trust architecture. That zero-trust architecture is part and parcel of us being able to offer this expanded telework capability.
So when we look at how things are unfolding as we head into fiscal year 2021 into 22, I think there are some big muscle movements that are happening that are informed by the Information Superiority Vision and informed by the reality of telework and the pandemic, and they lay out kind of briefly, several big pieces which have shifted around.
If you would have asked me a year and half ago what would be the most important thing to do under the modernization scope, I would have told you transform the network. I still believe it is absolutely critical; however, several things have happened so that network transformation has been pushed to the right a bit through the RFP (request for proposal) process and some of the hurdles we are having to push through because of that.
But the pandemic and COVID has shifted left the need for these personnel telework tools. So in its place has shifted the broad and rapid deployment of the enduring telework capability driven, in large part, by the Microsoft O365 world.
In parallel with that we are working to build a view of what the impact of modernization will be on the networks and on our infrastructure as we make those shifts through modernization. We have launched an end-to-end infrastructure assessment to get at the data and the baseline behind [it] so we can build a highly informed plan to decommission the legacy infrastructure that much of this transformation will render obsolete. That’s happening right now. Those things come together in 2021, and by the end of 2022, as we head into a modernized infrastructure and decommissioned legacy infrastructure.
Those things come at a cost but they are not the end-all, be-all. Our Office 365 [deployment] is not the reason for modernization. Doing a network transformation, while interesting and important, is not the reason to do modernization. The real reason is to bring increased capability, increased capability to our warfighters, increased capability at the tactical edge. Those things come together broadly in the DoD vision of JADC2, which is Joint All-Domain Command and Control.
JADC2 is about integrating cross-service integrated long-range fires. It’s integrated command and control cross-service. It highlights the macro requirement to be able to securely move data from anywhere on our networks to anywhere on our networks. It means really as the Marine Corps would put it — ‘from flagpole to foxhole’ — on the pointy edge of the tactical edge reaching all the way back to your enterprise, and in some cases, reaching all the way to clouds and supply chain networks — to be able to source data that comes together at the point of impact — that’s JADC2.
JADC2 absolutely relies on that end-to-end networking capability — to be able to securely and seamlessly move data from and to anywhere. It also relies on our being able to describe and manipulate that data in an interchangeable and usable format, which comes back to the need to be able to articulate and describe data broadly. The Vice Chairman of the Joint Chiefs of Staff, General Hyten, recently described it in the same way in a pre-recorded COVID video.
The DoD CIO talked about it in a recent town hall. In that address, he made an interesting comment. He said JADC2 is all about the data. It is all about being able to move, push and describe data in a way that anyone can gather, integrate and use. That’s highlighted the need for our data initiative, which is also built under the Information Superiority Vision. That is being driven by our Chief Data Officer, in conjunction with the DoD Chief Information Officer (CISO), who, by the way, recently released the Department of Defense’s new Data Strategy.
So the Department of Navy is engaged to implement that strategy so that we can realize that vision of moving, describing data and moving it securely, fulling supporting JADC2. It is truly all about the data.
I think the other thing, as we move through ’21 and ’22, informed by the vision, informed by the pandemic, that’s been highlighted, is the need for a refocus on the defend LOE. This really gets at how we secure any data, anywhere that we are responsible for.
There are a couple areas, I mentioned earlier, the zero-trust architecture that is absolutely critical. The Department of Navy will undergo a transition from a defense cybersecurity model to largely a defense perimeter model. What you would largely traditionally described here as ‘defense-in-depth.’ It’s the idea that we put up rings of perimeter that we believe can capture bad guys before they can do harm to the interior of our networks.
There will be a transition from the defense-in-depth model based around perimeter security to a model based on zero-trust architecture. It fundamentally means that we don’t trust anyone even if we are on our own network. Taken to its most extreme view, it means that you could actually operate on an adversary’s or enemy’s network because you don’t trust them.
It works because you have a secure identity and you use that to match with data that you can describe and secure. That zero-trust architecture transition is something that is starting but it won’t happen overnight. We will live in a world of both zero-architecture and defense-in-depth perimeter security for some time as our various legacy systems also undergo that transition.
The second element of that focus on defend will be on the defense industrial base, or DIB, as it’s colloquially referred to. Securing the defense industrial base is absolutely critical because when we look at the events that have happened, the leakages that have happened to our data, in many cases, it has come through the supply chain, through the defense industrial base and really more directly at the tier 2 [suppliers] and below where there is less cybersecurity focus and maturity.
There was a Cyber[security] Readiness Review (CRR) done in 2019 that really looked into where were the gaps and exposures from a cyber perspective, and one of the main focuses of that report was the need to secure the defense industrial base. So our Chief Information Security Officer has begun to implement a four-part plan for really going after security the DIB under the LOE of defend. It is focused on four key areas. The first one I would say is proactive defense, it is the ability to get out in front, in partnership with the DIB, with tools and capability that allows us to proactively defend from threats. And that is working in partnership with acquisition and some of our law enforcement agencies and cybersecurity agencies.
The second element is this idea of engagement. This is bringing the defense industrial base CISOs with the Department of Navy and Marine Corps information security professionals and likely together with those organizations that have a threat-informed view of the world and to do that in an open exchange environment. There are some models where this has worked really well, in the financial industry very, very well. I would use the United Kingdom as a model of an across industry forum that the Ministry of Defense has been able to bring together. So we have some inspiration and templates to leverage as we do that and we want to move forward with increased engagement and knowledge-sharing forums for that threat-assessment share.
The third area is a robust incident response and notification process that we can put in place so that our partners in the supply chain know where to go to get help, where they need to go to ‘push the red button’ – if you will.
The fourth area is educating broadly the workforce and the acquisition workforce on the need for cybersecurity measures, not only in acquisition activities and RFPs, but also in the broader supply chain workforce — very much in line with our CISO’s effort to do the same internally with the perspective that every Sailor, every Marine, every civilian is a cyber sentry in the fight against cybersecurity losses and intrusions.
So that is a lot to take in. I know I covered a lot of ground from the birth of the Information Superiority Vision, through the pandemic focus on telework, the big muscle movements that are shifting in ’21 and ’22 as Office 365 and telework shifts left in place of network modernization which is still very much in scope, just shifting a bit right due to realities of the world and how that all supports JADC2 to be able to do cross-service, cross-domain integrated fires and that leading to the importance of data, the data strategy and security, and finally, doubling down, in accordance with the CRR, our need to defend our information.
So lots to do, busy year or two ahead for us. It’s exciting, but I look forward to getting ahead of that. Again, I want to thank everyone for your attention. My thanks to FedScoop for the opportunity to come and talk to you and good luck with the rest of your event.