In a recent Billington Cybersecurity Conference Fireside Chat, Lieutenant General Robert Skinner, Director of DISA and Commander of Joint Forces HQ-DODIN discussed DOD strategy and goals with Teresa Shea, Vice President of Cyber Offense Defense Experts (CODEX) for Raytheon Intelligence and Space in an engaging 30-minute conversation.
Below is a recap of that Fireside Chat and an interview with the moderator.
During the discussion, Lt. Gen. Skinner provided his perspective and goals on where the DOD is and where it needs to be regarding its improved use and protection of its digital environment. The fascinating conversation provided some keen insights into the DOD digital strategy as it relates to its need to respond to faster and more ambitious adversaries, focus on protecting command and control to guarantee future use, jointly improving both its security posture as well as its user experience, better use of data, and moving to a data centric-user anywhere environment.
Lt. Gen. Skinner used the phrase “velocity of action” to point to the DOD’s two-fold strategic imperative of enhanced speed and direction in moving forward with its digital strategy. Within this thrust, he highlighted that everyone within this effort already had a unity of purpose and events such as the COVID pandemic had helped rocket forward the impetus to move DOD to becoming a more mobile workforce. He also cited his recent work within PACOM as bringing home the reality of how aggressive China is in becoming the most dominant power in the world and how this has also impacted his and broader DOD thinking in terms of increasing its pace to counter.
Lt. Gen. Skinner’s Five Priorities
Lt. Gen. Skinner deftly highlighted the five priorities that he sees being critical to evaluating his and his organization’s progress in the coming years.
First, he is determined to both better protect and enhance the DOD’s chain of command both on a day-to-day basis and during times of crisis. He reminded registrants that DISA is in charge of the President’s ability to communicate securely and at all times and emphasized that this remains his number one priority to ensure.
His second priority is to ensure that DOD systems – both communication, logistics, and weapons – are ready and capable during times of crisis.
Third, he emphasized, like many other DOD leaders expressed during the course of the conference, the imperative to find ways to leverage data that DOD networks were already collecting. As an example of this, he highlighted his goal that DOD would one day be quite capable of leveraging AI/ML to make networks more proactive in ferreting out the threat, as well as to help to diagnose potential vulnerabilities.
Fourth, he wants to better harmonize cybersecurity with the user experience with the thought that making it easier to use a protected system will keep users from trying to get around the system.
Last, Lt. Gen. Skinner highlighted the continued need to find ways to empower the workforce by reducing bureaucracy and ridding what he called “institutional silliness.”
Ms. Shay turned the conversation towards how the private sector could help and Lt. Gen. Skinner was quick to point out several key areas where the companies could be of value. First, he underscored the need to leverage the private sector’s advanced research and development in both cybersecurity and data analytics. He cited, for example, DOD’s great need to do better at digital identity and multi-factor authentication and highlighted how he believed these two areas as ones the private sector has already devoted much research into perfecting and using. He highlighted AI as another example of where the DOD could take advantage of private sector experience and once again emphasized the need of bringing this innovation to a newfound DOD data centric environment.
Overall, the chat pointed to some key themes highlighted throughout the Billington conference. First, it clearly reiterated a sense of unified purpose throughout DOD to focus on data, mobile access, a secure digital identity, and speed as key ingredients to making DOD a more secure but productive entity. It highlighted the consistent theme of bringing the user into the discussion with an emphasis on practicing some basic cyber hygiene and understanding the importance of good security throughout, and it showcased another DOD leader who could speak articulately about joint mission and goals in the DOD cyber space.
A Q&A with Teresa Shea, Moderator
Where do you see the private sector assisting the Federal Government in the technology arena to better secure their digital work environments AND make them more productive? Conversely, where do you see the Government adding value to the private sector world?
- Twenty years ago, the private sector overtook the government in R&D investment. Today they account for more than 70% of the total U.S. investment in R&D and the government would benefit by capitalizing on that investment vs. thinking they have to build all capabilities inhouse. There is so much overlap in hard challenges and the private sector has demonstrated the ability to apply solutions to these challenges at speed and scale which puts them significantly ahead of the government.
- Just in the cyber market, more than $11 billion dollars was invested this year in cybersecurity start-up technology. Our cybersecurity challenges are remarkably similar and we are ALL working to eradicate adversaries from our cyber environments.
- Cybersecurity has become a corporate boardroom issue due to the continued onslaught of attacks from criminals and adversarial nation-state actors. The government has access to vital threat intelligence information that is urgently needed by the private sector to prioritize the volume of attack vectors they are seeing daily. It is exciting to see this sharing beginning to take place and it should work both ways. We are all in this cyber ecosystem together and our defense is inextricably linked. Timely and actionable information from the government can make a difference in our ability to stop attackers before they gain a foothold.
LG Skinner talked of this concept of velocity as an impetus for Government change; a concept that includes speed, unified purpose, and planning as a more holistic approach to “winning.” How does one best integrate these three key concepts to getting it right in the “winning” business?
- I love LG Skinner’s quote “velocity of action to win”. Recognizing that we are in a constant state of defense and having the courage to change bureaucratic processes that we all recognize as impediments to our success is necessary. I think we all know what those are. Our economy is built on business—we could learn a lesson from the start up community on how they disrupt fast, admit failure, and change direction. Our culture of risk aversion prevents us from addressing our hardest issues. We should change the foundation of reward systems and recognize results that matter. This will take guts at ALL levels, not just top down.
Several observers during the conference discussed the conflict between pushing innovation out to keep us economically viable versus the need to ensure that security is baked into the innovation from the start. If you were a master application or service deliverer for Raytheon for a day, what would be your approach to delivering both innovation and baked in security with your deliveries?
- We are in a race with our adversaries to operationalize technology first and we are losing. On top of that, as you point out, security is not baked into capabilities because there are little to no requirements from the customers for that security.
- If I were “in charge” for a day, I would push for a software-based approach that enables end-to-end system emulation. This approach enables vulnerability researchers the ability to simultaneously discover vulnerabilities in the model and reverse engineer solutions to address those vulnerabilities that impact the design. These can be tested and retested in a software baseline that is substantially less expensive and much faster than our current approaches.
- Clearly, we have a plethora of existing networks, systems, and platforms that are vulnerable to cyber attacks. We need to focus on our most important assets and protect those first. Gaining real time situational awareness of our vast systems is hard but doable—we are going to need to invest the resources necessary to ensure we have basic protections to raise the bar on the adversaries.
From your perch sitting within the private sector, how does the Federal Government overcome its severe cyber expertise shortage?
There have been several recommendations to address this cyber expertise challenge, so I’ll highlight a few:
- Start with K-12 and show these students that cyber can be both fun and make a difference for a better world.
- Stop requiring bachelor’s-degree level college educations. Many associate degree programs, certificate programs, and white hat hacker forums are producing thousands of qualified cyber experts that are not being picked up due to this requirement for a four-year degree.
- Invest in educational and awareness activities that teach cyber on a personal level. Strive for every American citizen to understand how to upgrade their operating system and use multifactor authentication.
- Use automation to do routine analysis and prioritize threats so that the human resources can focus on the highest priority challenges.
Lastly, (and the toughest question yet, smile). You know all the key cyber leaders currently in the Biden Administration’s “Cyber Team,” if you were Queen for a day, how would best leverage each of their time to take the most advantage of this current team? Are there any blindspots that they might be vulnerable to and how would you work to fill them if any?
- Yes, I am very excited about the cyber leaders in our government today across the board, starting with Chris Inglis as our National Cyber Director. They all demonstrate a depth of knowledge and breadth of operational experience that delivers a propensity for action. We are already seeing this action taking place.
- Of course, they will have blind spots as they are human. However the stated objective of “coherence across U.S. government in cyber policy, action, and doctrine” focuses on a comprehensive whole-of-government approach resulting in awareness that address those blind spots. The trick will be in execution. Success will depend on not just government but all of society. The private sector must be dedicated to addressing their cybersecurity, to include their supply chains, and every American will have to adopt behaviors conducive to a defensible cyber presence.