By Geoff Fein
The Pentagon is looking to write into the Defense Federal Acquisition Regulations (DFAR) language to protect defense networks, according to a top Navy official.
The defense industrial base effort will define in both the DFAR and the Federal Acquisition Regulations (FAR) what kind of network infrastructure is needed, Robert Carey, the Navy’s chief information officer (CIO), told Defense Daily in a recent interview.
“That is the goal, to define the bar as to what it takes to do business with us,” he said.
Carey believes the DFAR language has been at least drafted.
But writing language into the FAR and DFAR to protect government networks could potentially impact smaller companies. Carey said it is a challenge the services will have to deal with. “I don’t think there’s an easy answer.”
While the large prime defense contractors have spent funding for network security that they say provides them with a fairly robust system, small companies may have less capability, Carey added.
“No one is trying to take work away from them, but to be able to defend the fact that you can defend this information is very important,” he added. “We will have to work on how do you balance the need to compete, the need to involve small business and innovation with security. It’s a polarity…you have to have both, you can’t work one at the expense of the other.”
It will also depend on how companies judge the cost of doing business with the government, Gary Federici, deputy assistant secretary, Navy for command control computers communications and intelligence (DASN C4I) and Space systems, said during the same interview.
“The big guys, it’s almost a must at the board level. You get down to the tier levels and they are going to have to make some hard decisions on that,” he said.
In the federal agencies, for example, the Departments of Justice, Transportation and Commerce, all have robust CIO shops, robust information technology (IT) infrastructures, Carey added.
“Then you work your way down to some of the smaller agencies and bureaus and it’s very much like small business–they don’t have this stuff, so where do they get it? The federal government is trying to help them raise their security bar as well by [grabbing] on to what the big boys have done so they don’t have to reinvent any wheels,” he said. “I don’t know if that’s the right kind of construct because the [intellectual property] associated with some things makes companies very touchy about how they would actually deal with one another, especially in the cyber world.”
Carey also noted that program manager should be required to have an understanding of IT.
The Navy has the Center for Information Dominance Corry Station in Pensacola, Fla. Officials there are working on a course to get commanding officers and commanders beyond a basic understanding of IT, Carey said. “The [Chief of Naval Operations] is already pushing on that.”
Carey has held three workshops for senior executive service personnel and flag officers to help them understand what it means to be digital…ranging from cyber and threat to Web 2.0.
“Because the senior leaders that are decision makers are the ones, believe it or not, [who] are probably the least familiar with this stuff,” he added.
“They are digital immigrants, they are not the natives. They are the boomers and beyond. Some of them get it. Gary [Federici] gets it. A lot of them get it, but a lot of them don’t,” Carey noted. “The idea is to train everyone.”
Everyone who sits down in front of a computer and begins typing is in essence a cyber warrior, Carey added. “And you are also potentially a vulnerability all at the same time.”
Although there were some personnel who held out and said they didn’t really have to get any training there, they were told they would be getting on board, he added.
“You have to hit the program management level and you have to hit the workforce level, all the way down to the deck plate. Everyone has got to understand if I am engaging a network to do my job, and I have access to the Internet, you are a potential vulnerability,” Carey said. “You have to be trained on what do you do with spear phishing e-mail, what do you do with phishing e-mail. And if you don’t know that, you need to know that.”
The millennial generation are used to communicating and collaborating in the wide open, he added. “I think they understand that inside the Navy environment is different information, some of the tools may be very similar but information is the thing that dictates how you protect it.”
There is always the potential that the ease of accessing and using social networking sites or free Internet e-mail accounts might lead to some personnel to lower their guard when it comes to online security, Carey acknowledged.
“We’ll have to stay with this. We will have to inculcate this into the fabric of the department–how we ensure that people get it,” he said. “The more millennials that come in, the more skills they have inherently, but some of them might not remember that when [you’re] on [a social network site] you are opening up vulnerabilities right and left just because you’re on it…because you are giving the enemy [visibility] on who you are.
“The training we are running…we are at the front end of it, not the back end, so we have a long way to go,” he added. “Then after a couple of cycles…doses of this…it will start to stick.”