The military specializes in operationalizing concepts and tools. As cyber is becoming more integral in everyday operations, so too are the leadership positions that oversee it. The military could be moving to leverage its operational expertise to foster greater cybersecurity through operationalizing the CIO function, according to one top official.
Operationalizing this role is "not just [being] a manager of IT but you're actually a member of the C-suite driving towards real operational effect and a thoughtful strategy going forward," Lt. Gen. William Bender, Air Force CIO, stated at a recent Defense Writers Group Breakfast in Washington.
What this means in practical terms is taking all the legislative authorities endowed to the CIO office and doing "a better job of actually living up to them", he said. "Flex the muscles that you have within the corporate process to live by the authorities that you're expected to live by." Operationalizing the CIO is a way to help bring together and cultivate a force that understands how systems connect to one another allowing forces to complete their missions, he added.
Bender's words speak to a growing trend in which the role of the CIO potentially is shifting toward a greater steward of cybersecurity.
"CIOs and [chief technology officers] are becoming business leaders; they're not technical leaders anymore. They are IT leaders, with most reporting to CEOs and taking responsibility for making the business successful," Teresa Carlson, vice president of Amazon Web Service's World Wide Public Sector said in June. "So why not be responsible for making the mission successful? CIOs need to up their game. It's not just making the data center successful but making the mission successful."
Similarly, Chris Lynch, director of the Defense Digital Service, stated that the Defense Department is one of the greatest mission-based organizations. Technology, he believes, must support these missions. "So the future of the CIO is to support the mission of that organization, of the people, of men and women working on some broader thing to benefit all of us. It's the service support concept that's important," he said at the Defense One Tech Summit in June.
Efforts like the Task Force Cyber Secure, an effort to synchronize understanding, operations and governance in cyberspace, have sought to bolster the vulnerabilities among the Air Forces systems and is people. Exercising poor so-called cyber hygiene can open organizations up to substantial vulnerabilities. Bender described cyber hygiene as 80 percent of the cybersecurity problem.
"Just bad behavior on how do you click on links and use thumb drives and all the things we know not to do…ends up being about 80 percent of the problem. So the threat vector is self-induced," he said.
The Air Force is rolling out to the entire service a cyber hygiene and culture plan with education and leadership development, stressing that the threat is real. Bender also discussed developing organic cyber capabilities.
"There’s a clear recognition that our service needs an organic cyber capability to get after much of what Cyber Command…just doesn’t have the bandwidth to do or simply not in their charter, and it’s critical [to the] Air Force," he stated.
This organic capability revolves around the Air Force’s five core missions– air and space superiority, intelligence, surveillance, and reconnaissance, rapid global mobility, global strike and command and control – and focuses on mission-specific tasks in the air domain. CYBERCOM, Bender said, is concerned with big problems and high-end warfare, such as protecting missile defense systems and air defense systems and assuring the nuclear enterprise and space enterprise.
The Air Force, by contrast, needs organic capabilities to complete daily missions. In the Air Force, according to Bender.
"IT is ubiquitous in everything we do," Bender said, pointing out that it's not possible to name a mission the Air Force does that isn’t reliant on IT, he added. Organic capabilities specific to the Air Force involve assurance of aerial refueling, assigning crews to planes, ensuring planes take off on time and they deliver their payload or complete their mission. All these tasks, Bender said, are dependent on cyber-vulnerable systems.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.