As Department of Defense deputy CIO for cybersecurity – and the Pentagon’s CISO – Essye Miller takes the reigns on a range of initiatives, some already existing and some her own. Regardless of their origin, expect to see DoD CIO cybersecurity initiatives gaining traction across the military: Miller means business when it comes to securing networks and IT infrastructure.

Let’s start with the cybersecurity scorecard. What is it, where does it stand and how is progress going?

My predecessor [Richard Hale] started the scorecard about 18 to 24 months ago. During that time, we determined we need to truly understand: What does the network look like? What was on the network in terms of operating systems? How many individuals with elevated rights did we have? What is the no-kidding security posture of the [DoD Information Network]?

When we started, we thought we had fairly good definitions for each of the metrics. But we all read from a different perspective. It took us a few months to really, truly understand what we were looking for, what we were looking to measure and to get to some point where it was not all manual reporting. We instituted a bit of an automated process to help the services capture 11 specific metrics that we were reporting on a monthly basis.

What we found over time was that it was a great opportunity to push the force, and to truly get their arms around what was out there; and for us an opportunity to measure progress over the last two years. We have a better picture of operating systems. How many privileged user accounts we have. The posture of our web servers, which gives us some semblance of the posture of the enterprise.

I think we have a really good idea of at least who we are from that aspect. Now, in the next iteration is transitioning to what I call a Scorecard 2.0. The next iteration will [involve] taking the threat and aligning it with the posture of the network to understand where our risk is. It’s a more real-time network vulnerability [assessment] so that we can generate risk scores, and determine where we need to make decisions. Either command-type decisions or investment decisions, to posture ourselves to better make decisions based on the actual scoring of the network versus whether or not we’re compliant.

Migrating to the cloud has been a big effort for DoD CIO. What’s the status?

We’re investing a fair amount of money in FY17, about $22 million; and then I think we’re budgeted at about 180 million in FY18. But, we’re tracking over 350 cloud efforts across the department;

All of course, in different aspects, everything from unclassified efforts to some secure efforts as well on the classified side. I have been working with what I call the Big Five cloud providers. Those that are doing industry as a service, and software as a service, and platform as a service, all three offerings.

There are five companies that do all three; we’re working with them to identify any barriers as we transition. How may we need to look a little bit differently at how we’re doing this? For example, we have requirements for a cloud cybersecurity service provider to do the monitoring and security work for any workload that goes to the cloud.

Some of that we determine is inherently governmental. But there are some functions they have that our industry partners can probably do for us. We could focus on those roles that are truly inherently governmental.

Cyber workforce is, perennially, a major issue for DoD, like the rest of the government. What are you doing to attract and retain cyber talent?

The 2016 NDAA gave us authority to establish the Cyber Excepted workforce. That gives us some of the flexibilities that we need and hiring; and a bit of flexibility in the salary adjustments to help us with recruiting. I think we will always have a hybrid of talent. Some folks that we raise organically and some talent that we bring in from industry; and at some point I would love to see us be able to have folks be able to come in and help based on our emerging needs.

We can do some of that with contracting now. But, I think we’re still in competition with industry to hire and to retain some of that talent. But having a Cyber Excepted Service in place will help us do that.

You have to get to the heart of the individual, what they ultimately want to do. This is an opportunity to serve and to do some things that they probably wouldn’t be able to do from an industry aspect. That is the messaging that we have got to get out to our young talent.

Now that you’re in the role of CISO and deputy CIO for cybersecurity, what are your top priorities?

Obviously, at the top of the list is providing our war fighters with the best IT and cyber capabilities that they need. That is assumed across the board.

Behind that is the continued hygiene. How do we continuously educate the workforce so that they understand? This is not a cyber problem or an IT problem. The environment is such that each one of us has an opportunity to introduce vulnerabilities to the network.

That’s why I get really excited about Cyber Security Awareness Month. Because we have an opportunity to do a focused effort on the educating across the board, and getting the word out.

The next one is technology assertion. How we keep up with an evolving technology. Endpoint management and automated patch management, artificial intelligence, autonomous capabilities are all important to us. How do we posture ourselves to take advantage of those advances in a quick way?

It’s so we don’t get bogged down again in the compliance process before we bring in a capability, assess the risk and make the capability available. In that same vein, it’s adoption: How do I migrate those cloud-ready capabilities our applications in a secure manner?

We want to ensure we’re taking advantage of what commercial industry has to offer, but I can still protect the workload and make sure that we’re not introducing risk to the Department of Defense Information Network. I think that will be a major push for us over the next six to 12 months.

The last one, and the more tactical, is completing our migration to Windows 10. We started that almost two years ago now. The Secretary had said, “We will be done by March of 2018.” The services and agencies have had to adjust, and not only their investment strategy, but their deployment strategy to make sure they meet that mandate. Because that will ensure that we are operating or we’re maintaining a more secure operating system.

Share:
In Other News
Load More