Pentagon Looks to Industry For Cyber Tools and Talent
The Defense Department is investing heavily in information technology. Its budget plan calls for spending $38.2 billion on IT in fiscal year 2017, including $6.8 billion on cyberspace operations.
Going forward, Defense Department officials want to enhance ties with non-traditional industry to bring new technologies and experts into the force.
“Much of the innovation today being driven in the cyber and IT business is coming from the commercial sector,” Defense Department chief information officer Terry Halvorsen told members of the House Armed Services Committee in March. “That partnership that we continue to strengthen is a key to us getting the right innovation and getting it on time.”
As part of this effort, Cyber Command has established a “point of partnership” in Silicon Valley within the Defense Innovation Unit-Experimental outpost that Secretary of Defense Ashton Carter established last year. The command plans to expand this outreach effort to other tech hubs, including Boston, Cybercom commander Adm. Michael Rogers told lawmakers.
Defense officials hope to create a revolving door type of environment where cyber experts from the private sector can come work for the U.S. military for a fixed period of time before returning to their companies.
“We really want to be able to bring them in and have them sit in a position for a year, being able to execute some decisions within the department, and then go back to industry, just like I think there’s a market space today for us to have some of our civilian employees go to industry,” Halvorsen said.
“We want more of an in and out, back and forth. And you could really see the career path in cyber IT changing so that it’s not an all-civilian or all-government career path, but a much more combined career path,” he added.
To facilitate that, Congress needs to act, he told lawmakers. “I do think we will need some legislation that probably changes slightly the rule sets about what we’re allowed to do with the industry people.”
When it comes to IT, the Defense Department’s science and technology spending is heavily influenced by what the private sector is doing, Halvorsen said.
“I want to focus our S&T dollars around the areas the industry isn’t going to focus on, and that’s going to be on the weapons systems and top-level security systems where there is not yet much play in the commercial sector,” he said. “I think our budget reflects that that’s where our emphasis is.”
In a constrained fiscal environment, there won’t be much spending on technology that the private sector is already developing, he said.
“I think I can get that same innovation … by strengthening our relationships with commercial industry,” Halvorsen told lawmakers.
The Pentagon and other federal agencies are looking for a range of cyber-relative technologies. A General Services Administration solicitation to industry published in April identified the following areas of interest: network mapping, vulnerability scanning, penetration testing, phishing assessments, proactive adversary hunt, reactive adversary hunt, incident response and security engineering services including post-incident or post-assessment remediation.
For its computer operating systems, the Defense Department is moving toward a Windows 10 baseline.
“Right now, when you try to look at the visibility of the networks, while we’re making improvements you’re doing that across multiple operational systems, multiple baselines,” Halvorsen said. “It’s impossible to do well.”
Getting to a single baseline for Windows — which is present on 80 to 85 percent of Defense Department computers — will streamline the process, he said. “Windows 10 is the first operating system that really thought about security right from the beginning and has built-in features that we will take advantage of.”
Adopting Windows 10 across the force will enable the Pentagon to better exploit cloud computing technology, he noted. Halvorsen is hopeful that within five years, most Defense Department systems will use a virtual cloud environment similar to what is offered by Windows 365.
“We will have private clouds, which are completely private within segments of DoD,” he said. “We will have private clouds that are DoD and other parts of the federal government. And then we will have hybrid [government]/public clouds.”
To achieve the best combination of security and financial savings, the hybrid clouds should be hosted in commercial centers, he said.
If the Windows 10 transition goes well, the Defense Department could announce this summer that it has decided to move toward “a more complete cloud environment,” he told lawmakers.
The Pentagon wants to tap talent from the private sector as it embraces the cloud.
“The best cloud engineers today are not in the government,” Halvorsen said. “The best ones today are in industry.”
The Defense Department needs to bring them in to work for the government on a temporary basis, he said. “I ought to be able to … say, ‘OK, you’re the lead cloud engineer for this year that you’re doing this work with us,’ and give them the authority to make decisions and … expend dollars.”
It is difficult to do that with the authorities that are in place now, he told lawmakers.
Defense officials need to address security concerns before moving to the cloud, Halvorsen noted. “How do you achieve virtual separation so that you don’t get the effect of everything being loaded in one spot and it can be exfiltrated? And if it does get penetrated, how do you quickly shut that off and isolate it? And we are spending a lot of time working with the industry experts in how to do that.”
Pentagon IT systems are increasingly under attack from state and non-state adversaries.
“They are kicking in the doors,” said Army Lt. Gen. Alan Lynn, the commander of Joint Force Headquarters-Department of Defense Information Networks, who also serves as director of the Defense Information Systems Agency. “It’s fast. It’s snatch and grab.”
The Defense Department is looking for new tools from industry to improve situational awareness.
“We need analytics,” Lynn told members of industry at a recent AFCEA cyber symposium. “If you come up with a good idea of seeing the network better or seeing anomalies on the network, if you have that [technology] that we could plug into our system, that would be great.”
The Defense Department might consider paying for analytics as a service, he said.
Defense officials are also seeking industry’s help with “software defined networking” to lower costs, improve defensive capability and enhance resiliency.
“If you build out a big enough network that’s providing capabilities for you, imagine … you don’t just make one copy of it but you make multiple copies of it,” Lynn explained. “Let’s just say you get attacked in that one network and it’s severe enough it makes you say, ‘OK, I’m going to take my applications [and] my users and I’m going to move it over to the exact same copy of that network over here and run it or just keep moving it.’ So now you have a hard time attacking that surface because it’s constantly in motion.”
Lynn compared the concept to troops’ use of frequency hopping when communicating on radios.
The Defense Department has been investing in software defined networking for a little over a year and it recently began working with more industry partners on the effort, he noted.
“I see it as something that is going to be part of our networks until we build networks differently in the future,” he said. “I see us continually investing in that and building that capability.”
Attributing attacks and identifying hostile actors in cyberspace has long been a challenge for the U.S. government as well as private industry. The Pentagon is looking for ways to prevent spoofing.
“One of the troubling spots with the network and with the internet right now is … you can pretend to be somebody else and move on that network,” Lynn said.
If defense officials had technology that would provide 100 percent assured identity, they could block foes from accessing the network or boot them off after they were detected and prevent them from returning, he said.
Right now, civilian and military personnel use common access cards, or CACs, to log into Defense Department networks. But Pentagon officials are looking to create a more secure method.
“We really need to take a look at doing identity differently,” Lynn said. What comes after the CAC card is a critical question facing cyber officials, he added.
Encryption is another key tool for thwarting malicious actors. As computing power increases, so does the difficulty of securing classified systems. That’s why the Defense Department wants to acquire better tools to protect its information.
“Every day it’s easier and easier for people to break the encryption we have out there and we’ve got to get better at it,” Lynn said.
While technology development is moving fast, the Pentagon’s acquisition rules make it difficult to push new IT into the force quickly. The prevalence of legal challenges to contract awards isn’t helping either, Lynn said.
It is especially difficult to for the Pentagon’s information technology components to do business with startups, he noted. Visits to DIUx and discussions with business leaders in the tech sector gave him insights into some of the challenges on this front.
“They’ve got to make money fast,” he said. “A new paradigm for those startup companies is something that we’re trying to work right now. How do we get them in the door and provide some use to the department when their burn cycle is about nine months?”
To better take advantage of innovation, Lynn’s command is also seeking opportunities to reach cooperative research-and-development agreements with industry.
Technology isn’t the only concern for the Defense Department when it comes to IT. Personnel issues also pose challenges. In recent years, Cybercom has been beefing up its force. All 133 of the planned cyber mission teams are supposed to achieve full operating capability by the end of September 2018. As of February, the command was not on track to meet that goal, Rogers said.
Training throughput is “probably the single greatest limiting factor,” he said. Among the services, the Air Force is having the most trouble in this regard, he added.
When queried by lawmakers, the cyber chief said hiring more contractors to fill out the force isn’t necessarily the right solution. About 25 percent of Cybercom personnel are contractors, he said.
“I’m a little bit leery of becoming over reliant on contractors,” he told lawmakers.
In accordance with the law of armed conflict, military operations in the cyber domain need to be conducted by military personnel, Rogers explained.
“I’m not trying to minimize the role of contractors,” he said. “We’ve got to step back and ask ourselves what’s the right allocation. I’m pretty comfortable right now.”
However, industry could potentially play a greater role in training cyber warriors, he said. “I’m open to … the options that are out there. And clearly academia and the private sector are part of that solution set.”
While Defense officials see the commercial sector as an important partner in the development and acquisition of cutting-edge IT, the two sides are also competitors when it comes to recruiting and retaining experts. The Pentagon is at a disadvantage in this battle, Halvorsen noted.
“Google announced they’re raising the pay for cybersecurity [professionals] by another 20 percent,” he said. “That’s going to keep impacting our ability to attract talent. If you ask me about the budget [and] what keeps me up more at night, that’s probably the answer.”
When it comes to the recruiting pool, the Defense Department could also be hampered by the fact that science and engineering programs at U.S. universities are not producing enough cybersecurity experts.
According to the findings of a recently published report by CloudPassage, only one of the top 36 U.S. computer science programs (as ranked by U.S. News & World Report last year) requires a security course for graduation.
Robert Thomas, CEO of CloudPassage said: “With more than 200,000 open cybersecurity jobs in 2015 in the U.S. alone and the number of threat surfaces exponentially increasing, there’s a growing skills gap between the bad actors and the good guys.”