Nary a speech from Pentagon senior leadership passes without mention of the importance of cybersecurity. But many of the details of that broad strategy fall to Thomas Michelli, the acting deputy chief information officer for cybersecurity within the Defense Department.
Michelli is responsible for coordinating cybersecurity standards, policies and procedures with federal agencies, coalition partners and industry. He spoke recently with C4ISRNET’s Mike Gruss.
C4ISRNET: Tell me about the projects you’ve been working on and how we might measure change in the next year.
THOMAS MICHELLI: The secretary really is focused on near-term, which is the coming year and making sure that the dollars that we’ve gotten and the resources, the people we’ve gotten directly, move the needle.
Some are not new. Identity credentials and access management. How we can more efficiently apply multifactor identification and use that to then ensure segregation of duties and least privilege so that we know that people can only get to where they need to go and only have the access they need to have to get their job done.
C4ISRNET: It helps eliminate insider threat.
MICHELLI: And external threat. All around. We know that if an adversary gets into our network and has credentials and they can move laterally and if we don’t have the right segregation of duties and the right access and attributes, they can pick up additional credentials and just build capability that way.
C4ISRNET: The Defense Information Systems Agency has been working on some prototypes related to identity management. Are there other programs you’re working?
MICHELLI: The common access card is here to stay, at least for the foreseeable future. We are making it more interoperable with the rest of the federal government. In fact, we reach out now in many of our RFPs to say, “If you have a more effective, innovative way to do multifactor authentication at the right level, we’d love to hear about it.” We know we need to be innovative ... to apply the appropriate dollar to the appropriate risk and if industry can come back with an innovative and just as effective multifactor authentication, we’ve taken them and we’re interested in hearing more.
C4ISRNET: What are some of the other areas?
MICHELLI: Comply to Connect is to have as complete a visibility of what’s on our network as possible and to ensure that what connects to our network should be and when it does that it meets our security standards.
We have several pilots, approved concepts, in place. We’re looking to do a more programmatic look on a way that we can replicate a set of solutions across the department.
C4ISRNET: October is National Cybersecurity Month. We’ve seen messages from the secretary emphasizing the importance of cybersecurity. What do you hope that folks get out of these messages and how do you weigh that against threat fatigue?
MICHELLI: You wouldn’t get up without doing certain basic things for your own health and safety and the public would demand these of you. Same thing with cyber. The key bit is culture. It’s not just a thing that the “sixes” or IT staff know about. We need to enculturate people to do this on their own and they realize the efficacy both in the workplace and at home.
We want everybody — not just keyboarders but the users, the contracting shops, our industry partners also — aware that when we spend the taxpayer dollar we want to protect what we’re getting for the taxpayer. We rely on them to do it and they have a responsibility. Not only because of the contract, but it’s good for their business and their employees to be cyber aware and practice it.
C4ISRNET: This year, there’s been an emphasis on cyber for the defense industrial base. Why? What vulnerabilities have you seen from industry?
MICHELLI: We have a defense industrial base form voluntary for people who deal with controlled, unclassified information. The Defense Security Service monitors, audits and helps industry to adhere to those principles. This is important because it can provide intellectual property of that company and our requirements, and perhaps what we can do with what we’re getting from the company. This could be of interest to your adversaries, but also interesting for the security of the economy and our country because some other country can take that work, counterfeit it and use it inappropriately or unlawfully.
We give industry an idea of the threats, hopefully with the intent of saying, “This is in your contract, and this is why it’s important. It’s inherent for all your business practices. This is a threat to your company because somebody could steal that from you and don’t want that to happen, not only for us as a national security interest.”
We’re going to expand the form and do pilots, proof of concepts for smaller companies.
C4ISRNET: How so?
MICHELLI: We have tier one, tier two and tier three companies. Tier one includes the Boeings, Northrop Grummans, Lockheed Martins, General Dynamics, then tier two is the midsize companies and tier three the smaller companies. We’re looking all the way down the food chain.
One of the concerns is the tier one gets it because they can afford to get the experts engaged to comply, but that prime is supposed to ensure that everybody in those tiers can do it as well. We need to ensure that they’re actually following through with that and that tier threes understand the importance of the expense to meet the requirements not only for DoD, but for their other customers.
You’ll see us communicating and engaging the tier twos and tier threes more.
C4ISRNET: Do you envision a time soon where a company would either lose a contract or have it recompeted because their cybersecurity was not up to snuff?
MICHELLI: I could see that happening, yes.
C4ISRNET: That hasn’t happened to date, as far as I know.
MICHELLI: We’ve been doing a lot of carrots; I think you will be seeing some more sticks.
C4ISRNET: Broadly, there’s been a shortage of cyber-qualified workers and there’s been trouble holding onto those you already have. Explain how you make a cyber professional say, “Yes, DoD is a place I want to go and work.”
MICHELLI: Congress has given us what’s called the cyber exceptive workforce. We are just finishing phase one and this enables us to hire faster, directly; it gives us some leeway in compensation both in salary and other mechanisms in compensation. Phase one was U.S. Cyber Command, Joint Force Headquarters-DoDIN, my shop and [Defensive Cyber Operations] cybersecurity. So far, we have filled 403 positions out of many thousands. We’re learning. We’re going into phase two, which will be about 8,000 positions.
C4ISRNET: When you say many thousands, those are already filled ... they’re not vacancies?
MICHELLI: They’re not vacancies. They can be both encumbered with people or they could be vacancies.
C4ISRNET: The position itself has been reclassified.
MICHELLI: Correct. Phase one is done. Phase two is starting. It’s a little over 8,400 positions. And this is the DISA and service cyber components. We’re learning how not only to identify, but also going out and hiring using these authorities. Cyber Command held a cyber fair in partnership with Air Force and DoD CIO this past May. We had over 900 preregistered candidates and 400 candidates showed up as walk-ins — so it’s about 1,300 people. We hired 17 on the spot.
And there were quick follow-ups with others. My understanding is we’re going to expand that to other parts of federal government who also have cyber exceptive workforces.
C4ISRNET: How do you get them in the door?
MICHELLI: We go out and we tell them all the things they can do within government that they can’t do in industry.
Once we get them in and get them trained, another thing we’re looking at is how we ensure that they have a full, satisfying career. Today, we make them go be a logistician somewhere and they say, “I don’t want to do that, I want to do what I’m doing here.” That drives them to get out. So how do we retain them once they’ve got a taste and realize how exciting and how interesting and fulfilling it is? How do we retain them? The military departments are looking at how we are able to give them a full lifetime career track in doing the things they love.
Another thing is the new NDAA. If we have somebody who is renowned in their field and we want to bring them in any leadership position in cyber, there will be abilities to do that.
C4ISRNET: The Pentagon recently announced the Joint Artificial Intelligence Center. How do JAIC and cybersecurity overlap, if at all?
MICHELLI: They overlap greatly. Machine learning and artificial intelligence are really the only ways we’re going to over-match our adversaries on a day-to-day basis. We’re not sure, however, which projects will go under JAIC initially.
We are continually looking at machine learning and artificial intelligence. For example, emails. How do we automatically adjust filters? How do we get ahead so we’re not relying on signatures that we already know? An analyst sits in front of a [subscriber identity module] tool or some other tool looking at behavior on the network. It’s just millions of events. So how do we winnow them down so that only the ones that really need the analysts’ gray cells focus and the best value for their time ... the only way we’re going to be able to do that is machine learning.