Navy officials: Buying the right amount of cyber [Commentary]

635660901279578677-navy-cyber-commandjpg.jpg

Photo Credit: Department of Defense

The views expressed in this article are those of the author and do not necessarily reflect the official policy or position of the Department of the Navy, Department of Defense, nor the U.S. Government.

From the breach of the Office of Personnel Management to the hacking of the Democratic National Committee, the infiltrations of commercial and financial institutions and the persistent probing on the Department of Defense – cyber is making headlines daily.

No one wants to be caught flat-footed or seen as not taking cyber defense seriously. In this environment, it would be easy to overspend and foist a cost-imposition strategy on ourselves.

It is clear that DoD spending on cyber is on the increase – with cyber defense, offense and strategy budgeted at $5.5 billion in fiscal 2016 and $6.7 billion in fiscal 2017. What is unclear to me is if we are wildly overspending on cyber defense or getting it just right. How do we know, in relative and absolute terms, how much cyber risk we are buying down for each incremental dollar spent? Shaving $1 billion from cyber spend would cover the cost of a Ticonderoga class cruiser or buy roughly one-third of a brand new Virginia-class attack submarine.

The trouble is cyber is a huge topic. It is hard to figure out where to begin. The easiest thing to do therefore is to blindly throw IT at the problem in the hopes it will just go away. We have been here before, first with Y2K, then DoD Business Transformation efforts and Auditability.

Over the years I have worked in DoD, I have seen IT treated as a magic wand – something that makes poorly understood business problems go away. Sadly, that’s rarely the case. Compounding this is frequently the IT solutions the department settles on are massive, overly complicated and prone to failure. As one senior VP from a large IT company once said to me: “DoD’s experience with [large IT] has been catastrophic, ridiculously expensive and unsustainable.”

Moreover, according to Deputy Under Secretary of the Navy for Management Tom Hicks, since cyber defense has been such an emotional topic, seemingly all anyone has had to do is scream “cyber” and dollars would fall from the sky. No more. At a time when the incoming administration wants to recapitalize the force that is nearing a breaking point, while at the same time build a 350-ship Navy and a 194,000-member Marine Corps, we can no longer afford this.

When constrained by finite resources, these large acquisitions can come at the expense of less-costly non-material solutions, many of which are immediately deployable and effective. Finding these agile solutions involves disaggregating the problem to fully understand the actors at play.

IBM’s 2014 cybersecurity survey of nearly 1,000 clients found that out of all investigated cyber incidents, human error was identified as a contributing factor more than 95 percent of the time. As notorious hacker Kevin Mitnick said, “Human failings … can undermine even the cleverest security measures.” A 2016 Verizon report investigating more than 100,000 cyber incidents tied two-thirds of successful data breaches to weak, default or stolen passwords. In this same data set, 30 percent of phishing emails were opened by recipients; with 12 percent proceeding with the regrettable “click” that allowed the attack to succeed.

Small investments in this one area can have a big impact on cybersecurity by propping up the organization’s first line of defense – the end-user. The 2014 Cyber Hygiene Campaign, which involved a coalition of organizations including the Department of Homeland Security, published a prescriptive set of basic, inexpensive cyber hygiene steps estimated to prevent 80 percent of external attacks.

To effectively move forward with regard to cyber, we have to look not only at IT but beyond that and treat it as a management problem:

  • We will need cyber experts. Do we grow that talent organically, like pilots, or buy it commercially? How can we “harden” the cyber workforce by ensuring they have the training, longer-term education, skills and tools needed to perform effectively, as well as compensation to encourage high-performers to stick around? Do end-users understand how their actions impact data and system security?
  • Do we have the right “colors of money” to address cyber issues? In the face of competing department priorities like auditability, how can we effectively make the case for execution-year dollars now for targeted, immediate use? (Government could learn something from private industry here.)
  • How can we incorporate non-material solutions and avoid defaulting to large acquisition? For essential IT investments, do we need an agile acquisition system tailored to cyber (and IT)?
  • Risk assessment. We have enormous IT and networks that cannot be refreshed tomorrow. How will we assess cyber risk in existing organizations and systems? How are we balancing and prioritizing defenses of NIPR versus classified networks? Are we adequately defending connected platforms, attendant mission systems, and components with embedded software?
  • Governance and Organization. Cyber governance is highly fragmented. We need one leader who can oversee and coordinate the policy, funding, technical authority and cyber safety execution across the entire organization. How can we organize to ensure timely, unified and coordinated response to threats?
  • We need to effectively utilize predictive analytics to fix the biggest vulnerabilities and anticipate the next threat.
  • Custom and commodity IT will require different ownership and sustainment models. Highly customized systems will require the government to own the solution. Alternatively, commodity business systems can be leased, putting the onus of security on the lessor.

Determining where to invest limited resources takes work. But by defining specific desired outcomes up front, organizations can prioritize critical vulnerabilities – focusing efforts where they are needed now – and matching the amount of resources they are willing to spend with the level of risk mitigation they are trying to achieve.

Michael Stewart
Deputy Chief Management Officer/Director of Business Operations
Department of the Navy

Steve L. Surell
Risk Analyst
Office of the Deputy Under Secretary of the Navy (Management), Business Operations Directorate