In an effort to improve its cybersecurity posture, the Navy is moving away from the old compliance model to an ongoing readiness approach much in the way the service evaluates its forces and weapon systems.
Put bluntly, the Navy – and the Department of Defense writ large – have been taking the wrong approach, according to its chief information officer.
“Today, I would argue that the way that we do cybersecurity at the Department of Navy … is wrong,” Aaron Weis said Tuesday during the Cloudera Government Forum, which was produced by FedScoop. “We view cybersecurity as a compliance problem, and it is most definitely not a compliance problem. We have about 15 years of track record to prove that that’s not a viable approach.”
Since coming into government roughly four years ago from the private sector, Weis has repeatedly dinged the government for how it has lagged behind commercial industry, describing federal agencies’ capabilities as years behind where the current state of the art is for other organizations.
Under the old compliance model, systems will be granted an authority to operate (ATO) on the network provided they check a series of requirements. However, once met, those systems are never reevaluated against constantly evolving technology or threats.
This ATO process encourages poor behavior, Weis said, leading to programs having to jump through various hoops to get back into compliance.
“We believe that rather than compliance, a better model for cybersecurity is something that’s close to the military [approach to its warfighting posture]. It is a model rooted in readiness,” he said. “Readiness is something that is a dynamic model. As a commanding officer, you would exist every day on some continuum of readiness. It’s measured very holistically … It’s not a one and done. A CO does not say, ‘I have now achieved readiness, done, and I’m good for three years.’ That concept of one-and-done has to go away.”
Last November, the Navy instituted a new model it’s calling Cyber Ready, which Weis said is meant to impact how the service approaches cybersecurity to re-earn the ATO continuously.
Weis added that the service created seven key themes for Cyber Ready meant to make people uncomfortable because they are fundamentally looking at a paradigm shift.
The first principle is measuring cybersecurity differently, which means more holistically with a risk and readiness mindset. This will involve widening the aperture beyond just cyber vulnerabilities and patches, Weis said.
Second, the Navy has to accelerate the initial ATO process by reforming the risk management framework. While the Navy has done good work on this type of reform getting hundreds of lines down to a few dozen controls, Weis said some matter more than others.
“What can we do to hone in on those to allow programs to quickly attain capability in a non-geological timeframe that allows them to be meaningful and then allow them to continue to expand their ATO and enter that realm of cyber currency,” he said, referencing the notion of constantly reattaining credentials or “currency” that allow systems to be secure on the network.
The third element Weis described is defining that cyber currency to determine the exact processes a program or system has to go through to continue to earn and re-earn that ATO.
Next is a trust-but-verify concept, which is “this idea that we want to test ourselves all the time,” Weis said.
While there are great red teams within the Navy and military that work to test systems, they are resource intensive and can’t be used all the time across the board. Instead, the Navy must develop automated ways to apply red teaming capabilities, which Weis called a purple team concept, that can be exercised all the time.
The fifth principle is democratizing insight and making information gleaned from Cyber Ready widely available for everyone to use when thinking about their cyber readiness. This will help commanders determine if they are truly ready from a cyber perspective by using data analytics.
Sixth, the Navy needs to adjust how it thinks about acquisition roles and accountability.
“We are going to have to move towards the mode where we are collaborating with the operator and the defender and the program office together versus this linear throw-it-over-the-fence mode that we’ve had in the past,” Weis said.
The last principle involves evolving the workforce to account for this new continuous approach. Weis said there are currently thousands of people in the Navy with risk management framework and ATO in their job titles.
“How are we going to evolve these people, expand their capability set into this new area where we have broad apertures rooted in an idea of readiness? That’ll be our challenge,” he said.
Overall, this new approach will not transform the Navy overnight. The service is currently on the first set of sprints and working to identify pilots.
“This will not be easy. It will not happen next quarter. It may not even happen in full next year. It will be a long process but we’re going to put the pieces in place as we start to evolve ourselves into a world where we have programs that are born cyber ready [with] cyber built into the requirements,” Weis said.
The aim is to have “actively engaged programs, operators, defenders, moving into a world where we are holistically measuring our state of cybersecurity readiness in an environment where programs and teams are hurting and re-earning their ATO every day,” he said.