For some branches of the military, a DevSecOps approach to cybersecurity is the best way to shield their networks from the onslaught of ransomware and cyberattacks from nation-state actors.
Cyber leaders from the Navy, Army, and Defense Information Systems Agency said their cyber strategies include multiple facets, such as Agile methodology and cultural overhaul, to maneuver the current cyber landscape.
“Over the years we've shifted from the bolt-on methodology to cybersecurity that's baked in,” said Rear Adm. Susan BryerJoyner, director for the Navy's cybersecurity division, during a GovConWire Cybersecurity in National Security event last month. “We've also done a change in our culture. Everybody has come to realize that cybersecurity is an all-hands effort. Do your part, be cyber smart.”
BryerJoyner said she’s focused on integrating cybersecurity into the Navy’s systems engineering in order to simplify cybersecurity processes. But new methodologies aren’t always enough. Sometimes the key to better cybersecurity lies in the tools you already have, Joyner said, such as data.
“The secret sauce is not in the data your tool is producing, it's in the way your tool handles the data,” she said.
For example, the Navy uses data to analyze cyberattacks and help “properly defend” its networks against future attacks.
“At the end of the day, if we look at DevSecOps and that Agile approach to cybersecurity … we need to make sure they have data available to them, where it is, and how they can integrate those feeds into whatever function they're trying to perform,” BryerJoyner said.
Early software testing, which is integral to DevSecOps, is a key component of the Department of the Navy Acting CISO Tony Plater’s cybersecurity strategy.
“I'm [also] focused a lot on interoperability and performance requirements,” he said at the event. “Previously we found when we had 100% coverage of cybersecurity requirements but terrible performance on our networks, that became a significant issue for our end users, the warfighter, the business unit.”
Compliance only goes so far if you’re still experiencing breaches, he said. So, Plater deprioritized compliance requirements and focused on cybersecurity performance instead.
“80% coverage with better performance is more of a viable path,” he said. “From a prioritizing perspective, we're looking at how we do things differently. In many cases we knew what all the cybersecurity requirements were, and now we're trying to change perspective, how does the adversary see our network and what can they get to? That's one of our strategic initiatives … pivoting to readiness, rather than just compliance. We want to [be] data-driven, operations-relevant.”
For Matthew Easley, CIO and director of cybersecurity at the Department of the Army, balancing cybersecurity with IT modernization is his biggest challenge. Keeping his focus on the mission helps him balance these two priorities.
“We have to prioritize our cybersecurity requirements and really understand which ones are getting the most return on investment,” he said at the event. “We're doing that with the rest of our cybersecurity community — what types of security controls are non-waivable? And which are waivable in certain circumstances? And do that in a cohesive manner and get better inheritance between security controls and what's being provided by a network and weapons system platform.”
The shift to zero trust architecture helps simplify and streamline cybersecurity for the Army, he added.
“It's really important that as we move into this new paradigm for cybersecurity and use software to identify networks and bring our own devices and use different techniques to defend endpoints, that we do that in a logical manner and not use a one size fits all for a million endpoint users in the U.S. Army,” he said. “Certain categories will need a higher level of defense, and a little less defense at our newer soldiers coming into the formation.”
Implementing new cybersecurity methods requires cultural adaptability and resiliency, but the current cyber landscape also calls for a dash of realism: no one is safe, and everyone will suffer a cyberattack at some point.
“The biggest thing continues to be culture,” said DISA Director Lt. Gen. Robert Skinner. “How do you change the mindset of never letting anything in, to making sure that if you are breached, you have the right resiliency in place and other initiatives so that you limit the impact it does have? Because it will happen at some point.”
Skinner said email continues to be the No. 1 cyber risk for most federal agencies, including DOD. The best way to fight these cyber threats is through systemic cultural change.
“The culture of users and administrators [needs] to change from being a passive administrator to an active,” he said. “So how do you retrain and hold people accountable for breaches of cyber rules and guidance you have out? The whole notion of, if you get an email that says ‘free’ on it, to hold back the temptation of clicking on it. I know that's hard, but the more we continue to innovate the more the culture will change.”