The Pentagon’s cyber and IT professionals have made progress raising awareness among senior military leaders about cyber threats to weapons systems and other critical technology, but there are still some who don’t take it seriously enough, DOD Chief Information Security Officer David McKeown told an audience of Air Force contractors Dec. 13.
“There have been two occasions over the last several [budget and planning] cycles where my boss, the [Chief Information Officer], has sent a warning to a service secretary that he may not certify your budget because you are not adequately addressing this [cybersecurity] requirement that we’ve asked,” he said.
Those requirements are laid out in a five-year plan produced and annually updated by the CIO’s office known as Capability Planning Guidance, McKeown explained during a panel discussion at the AFCEA Northern Virginia Air Force IT Day.
“That’s where we outline what services and agencies are supposed to do [in terms of cybersecurity], and that means: Put your money where your mouth is. You have to fund things that are going to solve the problem we’re telling you about,” he said.
The CIO—currently Leslie A. Beavers on an acting basis—has to sign off on service budgets to certify that they are dealing with the issues identified in the guidance.
McKeown said the CIO’s warnings about noncertification are “a pretty big deal, and it gets [service leaders’] attention, and they quickly rectify that.”
But often, he said, that rectification might mean other, less critical cyber measures will not get funding.
“We know that even inside the services, we’re often robbing Peter to pay Paul, so when we tell them to do something like that, something else is probably going to fall off the plate,” he said.
At the program level, McKeown said, there are still officials who didn’t see cyber requirements as critical.
“I think there’s an increased awareness. A lot of the top leadership is getting it,” he said. “In certain programs, it still gets ignored. I’ve heard acquisition professionals tell me that ‘We know about these cyber vulnerabilities, and they’re critical. They can take down the weapon system, but there are a lot of other operational requirements that we have to pay for this year in this particular weapon system. So therefore the cybersecurity stuff didn’t meet the cut line.’”
Panel moderator and AFCEA committee member Greg Garcia, a former senior official who held civilian cyber and IT leadership positions in the Army and the Air Force, recalled that, during the years before he retired in 2021, many commanders would basically ignore online threats. “Every time there would be a cyber threat [warning], I remember operational mission impact statements that would override every single cyber threat [measure], because the operational commander would say, ‘I accept the risk’ without any clue of what they’re actually accepting,” he said.
These days, added Air Force Brig. Gen. Heather Blackwell, deputy commander of the Joint Force Headquarters-Department of Defense Information Network, or JFHQ-DODIN, more commanders understand the need to think of their networks like a battlespace: terrain they need to control to fight.
JFHQ-DODIN is responsible for maintaining and protecting the Pentagon’s global IT networks, but it is the operational commanders who have to do that protection on the ground, she said.
“I can’t do command and control for 3.2 million endpoints” from her 450-strong team, she said. Commanders have to be accountable.
“Do I have a single commander that I can go to, to say ‘You have not done your cyber [measures] tasked to you. You might have a compromise. You might be compromising this mission … Making sure that somebody owns that terrain is one of the biggest pieces,” she said.
In general, although there is much greater understanding now of the threats, much work remains to turn that knowledge into operational measures, added panelist Nick Freije, the assistant chief engineer for mission architecture at the Naval Information Warfare Systems Command.
Currently many threat analyses are conducted without a real appreciation of the risks that enemy hackers could present, Freije said. “A lot of times, we’ll do a threat analysis and it’s like ‘Yes [given a] perfect, sunny day uncontested, sure, I can do everything. I can do my mission in this perfect world.’ No, we have to start bringing in reality to this. … And then also start hearing, ‘Wow, that’s not going to quite work. Maybe we won’t be able to get that information or that material solution to where you’re going to need them.’”
Tabletop exercises and cyber red-teaming or penetration testing are also key ways to raise awareness, said McKeown.
“The tabletops are a good start,” he said, “The red-teaming is a much better start. I wish that weapon system platforms and critical infrastructure platforms constantly were red-teaming their own things and then fixing those things.”
So-called “purple-teaming,” where red teams identify vulnerabilities and then blue teams fix them, is the ideal way to proceed, McKeown said. “We need more of that as we go forward.”
The bottom line, he said, is that in a shooting war, the military could find itself suddenly bereft of crucial capabilities if it hadn’t cyber-secured them in advance.
“Our weapon systems, our critical infrastructure, are definitely at risk, and they may not be there at the critical time that we need them if we don’t address these cyber vulnerabilities,” he said.