BALTIMORE, Md.--The Department of Defense must define standards related to the value and relevancy of the critical information it collects as it works to improve the cyber security of its data, according to a panel at AFCEA’s MILCOM summit Tuesday.
The panel of current and former DoD officials, as well as a cyber industry representative, believe the department’s data should be handled in the same manner as critical infrastructure with a greater emphasis on risk assessment.
“In DoD, you’ve got data that’s structured in a legacy way that is very hard to extract the way you need it. It’s very hard to see things in a way that can get you value,” said panel moderator and former DoD Chief Information Officer (CIO) Terry Halvorsen.
In order to prioritize and better secure the data it collects, DoD must work beyond stovepiped data systems and implement collection standards horizontally across the department, according to Halvorsen.
A first step is to address risk assessment procedures related to critical information, in order to prioritize which data deserves maximum cyber protection needed to extract the greatest value.
As the relevance and value of certain data diminishes, it’s on DoD to no longer hoard this information and get rid of it, according to current DoD Deputy CIO Essye Miller, who believes automation can help this process.
“What we have to do is the rationalization of what are those applications that need to go away, what are those we can truly afford to modernize, and what are those that we really need to look across the military department and agencies as an enterprise capability,” said Miller.
The panel pointed to industry’s key role in meeting the mission assurance aspect related to the data prioritization effort.
“I don’t think government can do this on its own. We have to be thinking about how to collaborate with industry to be able to prioritize securing data,” said Kiersten Todt, president of Liberty Group Ventures. “When we look at that engagement, one of the pieces that we haven’t talked about as much is third-party supply chain security. If we can raise the bar there, I believe that we’ll have greater efficiencies in how we handle data.”
With the highly sensitive data DoD maintains, the department must improve its outreach for public-private partnerships and information sharing procedures needed for pre-cyber threat collaboration, according to Todt.
In particular, Todt sees a growing role for industry to help protect and push for policy initiatives related to the security of data held on DoD mobile devices.
“The very things that make mobile devices such a productivity tool are the exact same things that make them a big target for espionage and for malicious activity,” said Todt. “Being able to develop the policies around protecting the information on our mobile devices, and important protecting the data, is what has to happen. Critical information has to be the priority for looking at how we secure devices’ data and how we’re securing our workforce.”
DoD must move to a more operational mission approach as it works to define data in the same manner as critical information and move past its current risk management framework, according to Miller.
“The bottom line for me is dependable mission assurance. We talk a great deal about the use of commercial best practices and quick adoption of technology, but when we look across the Department of Defense the mission comes back to the warfighter,” said Miller. “The question becomes how do we ensure dependable mission assurance in the face of a credible cyber threat.”