Does a centralized approach help or hurt DOD cybersecurity?

The government puts a lot of effort into establishing security policies and practices for its networks. The question, though, is whether its centralized approach, filled with bureaucratic hoops, is helping or hindering its cybersecurity efforts.

“I will say it’s really not that we don’t have a standard, it’s really that we have too many standards,” Col. Linda Jantzen, Army Chief Data Officer and acting director of the Army Architecture Integration Center, said at the 2015 Open Architecture Summit Nov. 4 in Washington. “I will say we have a lot of work to do to correct decades of developments of single-function, stove-pipped systems that use a range of standards, non-standard protocols with vender lock-ins, incompatible schemas and processes.”

For Capt. John Zimmerman, Naval Sea Systems Command deputy CIO, it’s all about what he calls “cyber value.” Zimmerman offered an anecdote from one of his warfare centers in which 43 packages of systems had to go through accreditation or certification. Each package had 20 comments that had to be adjudicated, for a total of 860 comments. The result: the work took 32,250 man hours across 18 months, at a cost of $3.5 million. All of the systems became accredited, but as it turned out, only one minor technical issue had to be fixed. Zimmerman said this was a process that required a lot of paperwork but didn’t offer much value in return.

Despite significant progress made within the Defense Department in terms of cybersecurity, Zimmerman said that the top-down policy approach is not ideal. “Every time I see a one- or two-page policy memoranda that comes out from on high, I cringe because it’s kind of like ‘this is the one-size-fits-all policy by-God you’re going to implement this.’ What ends up happening is I will tell you we’re living in waiver hell,” he said, adding that top officials don’t have expertise in combat systems.

By waiver hell, Zimmerman said he meant that his good engineers have told him that they sometimes cannot install certain security systems on their networks under a one-size-fits-all policy, so they have to go through the lengthy waiver process, which takes away from research. 

“I don’t think we can address cybersecurity with a centralized solution … it has to be more decentralized … It’s not going to happen by Secretary [Ash] Carter issuing two-page memos,” he added. 

Adm. Michael Rogers, Commander of Cyber Command has many times expressed similar sentiments, saying, “There is no one-size-fits-all” approach in the cyber domain. 

While Zimmerman noted that the notion of a cyber 9/11* is within the realm of possibility, he said he is much more concerned about what he called cyber mania, which ignores the levels of risk. “What I worry about today is the sort of thinking that I think captures cyber mania of ‘be afraid, be very very afraid.’ I really think that we’re not going to make progress until we can really understand the various probabilities of various risk. And what I see a lot is ‘let’s fix every vulnerability.’ And that is not a strategy … We have to be able to tell the difference between something that is highly improbable and something that is very probable and might have a big effect – and that’s how we’ll get value out of our efforts.”

Vern Boyle, director of technology for the Cyber Division at Northrop Grumman Information Systems, said that approaches to cybersecurity should assume the worst-case scenario—that systems will eventually be attacked successfully. You have to acknowledge that the enemy is going to be inside the system, he said, so it’s best to start there in terms of discussing solutions. “I think one of the fundamentals is to start by acknowledging that you’re not going to be able to fully eliminate the threat from the system. I mean your point of trying to fix every single vulnerability, it really can’t be done,” Boyle said.

“If you start from the perspective that the system admin in the air operations center is the insider threat,” he said, “it really forces you to think about a different strategy for protecting the system.  If you start with the point of view that destructive malware will be deployed on the system that you’re trying to operate, that really changes your thinking about how to secure and protect the system.”

* An earlier version of this story referred to a "cyber Armageddon," which was not the term Zimmerman used.