The Defense Information Systems Agency is undergoing key technology transformational initiatives that stem from a holistic, Defense Department-wide, end-to-end cybersecurity approach.
And it starts with the 2018 DOD Cyber Strategy, which, among other things, outlines five cyberspace objectives from ensuring the Joint Force can achieve its missions in the cyberdomain, to defeating cyberattacks and securing DOD information systems. The strategy also sets a vision for addressing and implementing the National Security Strategy and National Defense Strategy.
“I think everyone’s happy to see and report that the National Cyber Strategy and the Defense Cyber Strategy are really pretty closely aligned,” Lisa Belt, cyber development executive at DISA, said Oct. 4 at GovernmentCIO Media’s CXO Tech Forum: The State of Cyber.
And of DOD Chief Information Officer Dana Deasy’s outlined cyber initiatives, Belt said ultimately, Deasy is taking the department through a more holistic enterprisewide approach to how it looks at cybersecurity.
Belt said the Program Objective Memorandums and budget cycles are out of sync and out of cycle with the technology advancement and evolution cycle, causing challenges for DOD as it tries to keep pace with its existing mechanisms and processes.
“[Deasy’s] foot-stomping point has been look, you can’t piecemeal this. If we don’t take an end-to-end look at cybersecurity to include workforce development and the systems and weapons platforms, we’re not going to get there from here,” she said.
So, DISA has been transforming tactically and strategically.
From a tactical edge, over the past couple years, the agency has been taking 10 to 12 years worth of developmental and deployment work — a lot of it partnered with the National Security Agency — which have have grown to point solutions, and working to better integrate them. Point solutions are used to solve one particular problem, can be implemented quickly and usually without regard to other related issues.
“It’s been a lot harder than I would have projected at the onset,” Belt said, but DISA engineers are finally seeing opportunities for convergence. And the tools DISA is deploying keeps pace with the general cybersecurity marketplace.
But there has been a challenge here, too. Belt said the solutions coming out of industry tend to be proprietary integrated solutions that make it hard for DISA in terms of data rights and ownership.
So, she asked the community, collectively, to think about ways to advance this cause, through creative thinking or even interesting business model changes.
Strategically, Belt said there are two major transformational efforts that are the “biggest bang for the buck” in her leg of the mission space.
One is getting after next-generation identity and authentication, which Belt said is fundamental to everything DISA does, and is critical as the agency moves toward automation and orchestration of “human out-of-the-loop decision making,” which she said has to happen.
And DISA is exploring the use of blockchain for identity, too. “We’ve got a group within DISA who's looking at what apps make sense for blockchain,” Belt said, and she sees an application for it in identity and how DISA distributes its networks to apply blockchain to a defense-in-depth perspective.
The other strategic initiative DISA is tackling is data rationalization and data sharing. Data rationalization is a managed metadata environment application that creates concepts and categories for a domain into structured data, making it easier to search and connect inferences for computer (or human) reasoning.
And these data efforts are important to cybersecurity, because, as Belt put it, “if we don’t get those two things right, we should probably just go home.”