Recently, when members of the armed forces spoke before Congress on the government's cybersecurity preparedness, the Pentagon's top information-security official, Robert Lentz, offered this sobering statistic: Last year, DoD detected 360 million attempts to breach its networks “” up from six million just three years ago. The threat isn't going away, either. “I think the state of the threat is going to be many, many times worse than it is today,“ Lentz says in an exclusive interview with ExecutiveBiz. Which makes strengthening the alliance between the federal and private sectors so essential, he adds. “We must all come together and work “” not only as federal sectors “” but with the private sector to get on top of these problems “¦ it's really going to be a team effort,“ he says. Here Lentz offers his take on the Department of Defense's key areas of focus on the cybersecurity front, and how the private sector can be part of the solution.
DoD's key areas of cyber focus
On the cybersecurity front, the Department of Defense has several key areas of strategic focus:
- Cyber-oriented information assurance. In the past, information assurance has primarily focused on the “static layers“ of the Department of Defense, says Lentz. “We are concentrating on making the latest architecture and strategy adopted in the Department of Defense for information assurance more cyber-oriented “¦ we have to be able to do things much faster than what we have traditionally been trying to deal with in our layers of defense,“ says Lentz.
- Shift to “dynamic defense.“ “You have to take into consideration the fact that environmental conditions are constantly changing, especially as you move further away from the more safe zones like headquarters [toward] more tactical environments,“ says Lentz. He calls that realization a “major strategic change of focus.“ “The best way to look at it is moving from defense in depth to dynamic defense,“ he adds.
- Device-to-device oriented architecture. “We have a lot of people in the network and we have a tremendous education and training challenge every single day,“ says Lentz. “The goal is to work with industry to get more of a device-to-device oriented architecture to remove as many of the people who are touching the network in order to be able to, once again, deal with that cyber security environment where time and space are so critical,“ he says. “¨“¨4.) Web 2.0 and 3.0 technologies, and cloud computing. “¨“We need to begin to leverage those architectural principles and technologies as fast as possible,“ says Lentz, adding, “We need to ensure that the web 2.0 and web 3.0 environments also take into consideration cyber security.“
How industry can help
“We are working closely with industry to try to maximize our investments,“ says Lentz. DoD’s efforts in transforming certification and accreditation to achieve faster fielding and reciprocity have been critical. To build upon a public-private partnership, adds Lentz, it's critical for industry to focus on three key areas:
- User-friendly, adaptive technologies. Industry has to focus more on “user-friendly, adaptive technologies,“ says Lentz. “Too many times we get capabilities that represent solutions that don't scale, that require a much more sophisticated individual to use them than we are able to train “¦ not everybody is going to have PhD engineers sitting beside them to help configure their network,“ he says.
- Common set of architectural principles. A common set of specifications allows for more interoperable capabilities “” and cost-saving opportunities. Lentz offers up a recent success story, involving DoD's data-at-rest acquisition. “That acquisition is a great example of how we all agreed on a common set of specifications for dealing with data-at-rest encryption,“ says Lentz. “We worked with industry, we worked within government “” not only within the national security community but [with] state and local governments “” and drove down the cost to the point where we are paying approximately $6 to $9 per software license [as opposed to $100 per software license] for data-at-rest,“ says Lentz.
- Focus on mid- to long-term research goals. “If we can agree on common standards, then we need to also “” in parallel “” shift to [discussion] of research goals,“ says Lentz. “On the research side, we all need to focus on mid- to long-term research objectives “¦ to make sure that our research plans are all coming together and that people aren't duplicating research efforts,“ says Lentz. A common set of standards allows for the most enterprise approaches to R&D efforts, he adds. IA Connect, sponsored by Lentz's office, is an example of success in the research realm. IA Connect provides a single interface within the DoD to facilitate initial interactions and conduct research on commercial IA vendors and their products and gives small businesses access and insights to the Department.
What else should industry be doing to strengthen DoD’s cybersecurity posture? Share your comments here.