In part I (available here) of our interview with Mark Orndorff, head of Information Assurance at DISA, we learned about some of the key areas DISA is focusing on along with how he seeks to balance the need for warfighters to have access to information while ensuring the security of data. In part II of our interview, Orndorff discuses the issue of privacy on DoD networks, how DISA looks to remain competitive in attracting the best and brightest in the cybersecurity field and his areas of greatest concern.
TNNI: How does DISA work to balance privacy concerns with effective security?
Mark Orndorff: From a DoD perspective, any user of DoD networks is given a notice as they log on letting them know that they are giving their consent to monitoring. Once you log on to a DoD computer, whether it’s DISA or any place else within DoD, you’ve consented to full monitoring to all of the activity that you do on those computing systems. We certainly aren’t the legal authorities for the Department of Defense, but essentially as operators and defenders of DoD networks, once you’ve given the consent to monitoring, we are able to effectively operate all of our security capabilities and don’t really have a lot of privacy limitations to keep us from doing what we need to do to defend the networks. The only caveat to that would be before we target any individual specifically to monitor them as a unique individual, we would go through all of the legal processes. As far as monitoring our networks in a general sense for attacks the privacy concerns are not a big constraint for us.
TNNI: The demand for skilled IA professionals is increasing and competition is growing in both the government and private sector. How does DISA plan to continue to attract top talent?
Mark Orndorff: That’s a great question and definitely a challenge that is facing us as we speak. We are working this week to try to fill quite a number of vacancies and address the problem that you are talking about. We are recruiting heavily to bring in additional IA professionals at the same time we are preparing for a move to Fort Meade where we know we’ll lose at least a percentage of the people that we have on board today. DISA had a couple job fairs up in the Fort Meade area where we’ve had just a tremendous turnout and got a lot of talented people applying for our positions. We’re going through resumes and conducting interviews to bring in talent from those job fairs. Also, DISA’s personnel office has a tremendous program going out to colleges and doing an aggressive recruitment program to bring in talent from the universities. I’d say DISA has one of the best intern programs in DoD. If you look at the leadership level all of the way down, we’ve got evidence that the intern program is bringing in talent, keeping them in DISA and keeping them involved in continuing to grow our expertise in depth. As we go forward, especially in the information assurance area, we’re heavily dependent on the intern program and we work that in partnership with NSA where NSA has an active effort to offer up scholarships for college students with a commitment after graduation for a tour of service with the government. We get a good number of interns coming out of that program and that’s been a huge benefit for us.
TNNI: What are some areas of greatest concern to you in the IA field and why?
Mark Orndorff: We pretty much touched on the areas of concern by going through the areas we are focusing on. I did have one addition to that list and that’s in the general heading of configuration management. At the risk of overstating the situation, I’d say to some degree our approach has been to look for vulnerabilities and then try to put resources against vulnerabilities to get them fixed. I think the biggest challenge is to come up with a different approach where we try to prevent those vulnerabilities in the first place. What we’re discussing here right now is how to have a different approach of the general problem of configuration management to try to get systems configured properly in the first place before we buy them and definitely before we install them and then keep them configured that way versus operating systems on a network, looking for vulnerabilities and then sending out tasks to fix those vulnerabilities. Part of the solution is to work with industry to have systems delivered to us that are secure when we get them versus getting systems that we have to go back through and then try to lock them down and get them into a state that’s more operationally safe and then have the tools and technology to maintain secure configuration while we are able to get the operational affects that we’re trying to achieve.
TNNI: Did you have anything else that you would like to add?
Mark Orndorff: I guess just to close out, I’d say two points. One is, I think we have a fantastic partnership with industry. We’re not typically in the development business. We are in the business of finding commercial products and getting everything we possibly can out of them. I think over the last 18 months that I’ve been in this position what I’ve seen is that industry is delivering capabilities that are affective at the DoD enterprise level where two years ago we would have not had the options to deliver solutions for that class of problems. I think industry is stepping up and working with us and delivering solutions and we continue to have a great partnership. At the same time, we’re working internally to extend the industry capability to fully address the operational requirements and military requirements that we have to deal with. The second point that I wanted to make was on the work force side. I think that DoD in general has a wonderful set of cyber warriors working as hard as they can everyday to balance the need for safe information sharing and getting the operational effectiveness that we need to achieve at the same time providing the security that we have to have to fight off a cyber attack and defend our networks. We have a great work force and a great team here at DISA and a great partnership with our military services as we operate and defend DoD networks every day.