The Defense Department is aligning its National Defense Strategy with the chief information officer’s top cyberpriorities, and in the coming weeks, a cybersecurity strategy and artificial intelligence strategy will follow suit.
But achieving the goals outlined in the NDS and DOD’s overall CIO priorities relies on partnerships.
“We realize that we cannot do our mission to uphold the constitution and perform national security without a partnership of inner-government, whole-of-government and international coalition partners,” said Thomas Michelli, DOD's acting deputy CIO for cybersecurity. He spoke at the July 17 GovernmentCIO Media CXO Tech Forum on national security in Arlington, Virginia.
Michelli called upon both government and industry to help DOD understand its cyberrisk, manage that risk, adopt the tools to fight through those risks and achieve cyberresilience.
“We don’t know it all in the department, we know what we need to do, and what we want to do, but how do we do that? We’re looking to our partners,” Michelli said.
So, DOD is focusing its efforts and dollars to the priorities set out in the NDS, and the soon-to-be-published cybersecurity strategy, according to Michelli.
“All these things are mutually supportive," he said.
The three strategic approaches outlined in the NDS are: build a more lethal force, strengthen alliances and attract new partners, and reform the department for greater performance and affordability to minimize unnecessary risk.
DOD CIO Dana Deasy has outlined four major cyberpriorities intended to support the NDS: cloud, artificial intelligence, cyber dominance, and command, control and communication modernization.
“What’s happening today in cyber is happening so fast; we have to have a way to respond in milliseconds,” Michelli said. Enterprise cloud is the foundation needed to unlock the potential of technology advances for DOD and service members, and opens the door to AI and the ability to process mass amounts of necessary information.
And, as Michelli said, “AI will help us provide lethality” and modernize C3 systems, which are needed for mission assurance. Overall, cyberdominance will render a security-first mindset driving everything DOD designs, builds and operates.
DOD has broken down each of those priorities to identify a top 10 list crucial to strengthening the cybersecurity of federal networks and critical infrastructure, but Michelli said he wasn’t able to share that list without “exceeding the classification of this briefing.”
But Michelli did say C3 was an important part of this top 10 list, and fundamental to C3 are DOD’s networks and improving the resilience of those networks. He specified certain aspects of a secure network and said DOD is defining its outcomes based on those components, and is asking industry to help provide the tools and means of getting there:
Comply to connect: “If you don’t know what’s on your network, how can you anticipate that risk and where that risk is coming from, and how do you fight through it?” Michelli asked.
Cyberworkforce: IT relies on people, processes and systems. But without the right people, Michelli said DOD can’t operate its system or processes correctly. AI is meant to automate what humans do, while humans train the machines and set the right rules and knowledge base. So, DOD is exploring how to capture and retain that talent in government.
Identity Access Management: This provides visibility into who is on the network and where that user is authorized to go. Michelli said DOD is looking at role-based access, attribute-based access and next-generation identification.
Application Development: DOD has very old systems that were not build with security, networks or cloud in mind. Current software needs to rely on agile development and Sec-Dev-Sec-Ops, and should be built with security from the ground up and incorporated throughout the operations and deployment of that software. “We need to look at how we can refactor it, and make it cloud-native software,” Michelli said.
Michelli also noted DOD is “about ready" to announce an AI strategy due out in weeks' time, and the department is setting up several capabilities within the department related to AI. He said it will be parallel to the cybersecurity strategy, and the timing of release will be similar.