Army moving away from compliance-based cybersecurity

As the Army modernizes its network, it is looking to emphasize cybersecurity operations as the next step in maturity, moving beyond compliance.

Officials have described becoming more proactive against cyber threats as opposed to a reactive posture, which involves enhancing the training and abilities of the signal corps, improving policies, and developing new concepts and capabilities such as the central delivery of services.

“We’ve been doing cybersecurity operations, but it’s been exceedingly compliance based. Meaning, fill out the checklist … you’re cyber secure. Against a thinking adversary, we know that won’t work,” Lt. Gen. John Morrison, deputy chief of staff, G6, said in an interview. “We’re really shifting from a compliance-based approach to really be active in cybersecurity operations. That is the big shift that I think you’re seeing not just inside the Army, but across the entire Department of Defense … I think the reason that we pound on cybersecurity operations is really making sure that folks know that we are transitioning from a compliance-based, very passive approach to cybersecurity and rapidly moving to something that’s much more active in the day to day.”

The Army has been on a multiyear journey to mature its network, consolidating the various instantiations from the tactical level and the enterprise to create what the service calls the unified network that soldiers can access all over the world regardless of theater or echelon.

As part of this push, the Army wants to better integrate the functions of cybersecurity and cybersecurity operations — which in some circles are thought of as defensive cyber ops that seek to be more proactive and hunt malicious activity on the network rather than being more reactive to threats.

“This thing that we called cybersecurity operations, really does bleed over into what is defensive cyber operations. I think the big thing that it does is it starts focusing us on being less focused on the administrivia of the day and work focused on the technical risks,” Leonel Garciga, the Army’s chief information officer, told DefenseScoop. “I think that’s really what it boils down to and that’s the distinction. It’s how do we start moving in a direction where we’re more holistically focused on understanding the data that’s being delivered on the network, right, the unified network, and being able to react to that data, whether it be from a threat, or a status of our posture. That’s different.”

Bucketing these notions in this way allows the Army to begin to reduce complexity.

“It allows us to take a look at, okay, so for the basic, the threat agnostic, defensive of our network — read cybersecurity operations — then if we layer that across the unified network, we’re able to now layer in capabilities and force structure, right, so we can put complexity in the right spot,” Morrison said.

One of the major efforts associated with the unified network approach is moving complexity from lower echelons so they can focus on warfighting, not getting their communications or IT established.

Part of that is centralizing the delivery of services and capabilities like Unified Security Incident and Event Monitoring, which aims to provide end-to-end network visibility across all echelons, spanning the strategic enterprise level all the way to tactical formations.

“By moving towards this notion of unified net ops and defense capabilities, we’re now able to layer that on echelon that, quite frankly, we had not been able to see at any other time. We introduced new capabilities like Unified Security Incident and Event Monitoring, that now go across all echelons from strategic, operational, down to the tactical edge, where everybody can see the same thing and then the person with the time to act on it, can then act on it,” Garciga said. “It helps us from a budgetary perspective, it’s going to help us from how we actually organize our forces to conduct cybersecurity operations. And then it’s, quite frankly, going to take that complexity off the edge and give it to folks that actually have time to manage.”

Garciga noted that efforts to modernize the network — whether it’s Risk Management Framework 2.0, new software or new policies — change the nature of cybersecurity itself and thus change the skill sets that are needed.

“As we look moving forward and getting not reactive, but proactive against cyber threats and you’re starting to see that scale out to the traditional part of the Signal Corps and how we deliver services — and that’s an important distinction and change that’s happening as we move to the Army in 2030,” Garciga said. “In many ways as we are moving forward, right, taking this traditional approach to cybersecurity and operationalizing it, is, in effect, increasing the size of what we would call that defensive cyber operating force.”

Morrison described upskilling and reskilling efforts that the Army needs to look hard at for both the military and civilian side of the workforce.

“We’re just in the nascent stages of changing several of our specialties over to be data engineers to really start helping bring all that together at the strategic, operational and tactical spaces,” he said. “Training is really, really, really important. We got the depth we need right now, but I will tell you as this gets more and more inculcated across our Army, we need to build that technical depth across all of our formations.”