In order to meet the challenges of cybersecurity, the Air Force and other military branches have to get their CIOs more involved in the mission, rather than just building and maintaining the underlying infrastructure, according to Brig. Gen. Sarah Zabel, director of cyberspace strategy and policy in the Air Force Office of Information Dominance and CIO.
While moderating a panel of Air Force IT and acquisition officials hosted by AFCEA D.C. Chapter on March 16, Zabel suggested a cultural shift in thinking that would "operationalize" the CIO to be more involved in the warfighting effort rather than strictly focused on the underlying networks.
"If you've been around the IT and cyber world long enough you see just how similar those worlds are," she said. "We have different people, different programs and habits of talking about these things as two worlds. They are not different worlds; they are the same world. That means the chief information officer has an absolutely integral, irreplaceable role in cyberspace. But we didn't approach it that way when we set it up."
Zabel noted that the CIO shouldn't be operational in the sense of "fly, fight and win the nation's wars" but should be thinking of critical mission factors when buying and developing IT systems.
Much of the governing policies within the Air Force and DoD separate IT management from cyber, Zabel said, adding that much of the problem is cultural, as well.
"We're coming from a legacy where people didn't recognize the relationship and have set up separate stovepiped programs for IT and cyberspace," she said.
However, in the modern world, the two aspects of technology cannot be mutually exclusive. IT infrastructure must have cybersecurity baked in and the military's cyber capabilities must have a robust and agile underlying network.
"How do we bring that together intelligently so that we are able to deal with the entire world of IT/cyberspace in a way that's meaningful to the Air Force and that advances the nation's interests?" Zabel said. "We need to delve into what aspects of the CIO job are operationally relevant and perhaps we haven't recognized or behaved that way. What you do in IT – where you govern it, where you decide to put your investments – it is cyber relevant."
CIOs on the civilian side were recently granted authority over how IT budgets and programs are managed through the Federal IT Acquisition Reform Act (FITARA), though the legislation specifically excludes defense agencies.
Zabel said the general idea of FITARA is a move in the right direction, though she'd like to see how the law is implemented before seeing something similar for DoD.
"We ought to learn mutually for a little bit longer before we slap anything into law," she said. "We have a lot more to learn and explore about this before legislation would really help."
In the meantime, Zabel suggested the Air Force and other branches work independently to incorporate their CIOs into the cyber mission "by recognizing the need and just getting it done."
"Cybersecurity is one of the most important aspects of cyber," she said. "We are still on a journey of exploring just how deeply cyber is informing all of our mission areas and how we can successfully manage it, how we can successfully secure it."
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.
