Top Pentagon IT official: Need to focus on cybersecurity of weapons systems and critical infrastructure

itle=”WeChat picture_20210710094639.jpg” alt=”WeChat picture_20210710094639.jpg”/>

Pentagon Acting Chief Information Officer John Sherman participates in a virtual panel with Billington Cybersecurity on April 15, 2021. (Chad J. McNeeley/U.S. Department of Defense) (Office of the Secretary of Defense)

WASHINGTON: The Pentagon’s top IT official said Tuesday he wants a concerted effort to protect weapons systems and critical infrastructure from cybersecurity threats, adding that the effort will require greater coordination within the department.

“I really want to put our focus on weapons systems and critical infrastructure, recognizing that our adversaries are targeting them,” John Sherman, acting chief information officer of the Defense Department, said in testimony before Congress. “These are some of the risks. Domain…because some of these programs started in the 90s, when cybersecurity was in a different place,[所以现在]We have a better way to solve this problem. “

Sherman’s testimony before the U.S. House Armed Services Committee Subcommittee on Cyber, Innovative Technology and Information Systems follows a series of high-profile hacks over the past six months, including ransomware attacks affecting major oil pipelines and SolarWinds’ IT systems Vulnerabilities affecting many government systems. In his testimony, he called the pipeline attack a “wake-up call.”

He told lawmakers that cybersecurity is his “top priority” but that the Office of the CIO must “do better,” working with U.S. Cyber ​​Command and the undersecretary of defense for acquisition and sustainment, which is Major arms buyer. Such coordination will involve concerns about the cybersecurity of weapons systems and industrial control systems, he said, adding that there are “seams” within the sector that must be addressed. Industrial control systems are integrated software and hardware systems used to control infrastructure networks, such as power plants or pipelines.

“That’s the type of field … I think we take some risks there, but I want to work better with my colleagues in our department,” said Sherman, who held the acting role of chief deputy chief information officer before taking over. .

The department’s most recent fiscal year 2022 budget request asked Congress to allocate $5.6 billion for cybersecurity, an increase of $200 million from last year’s request. According to Sherman’s written testimony, the money will be used for “critical” cybersecurity functions such as identity, credential and access management; endpoint security; the Navy’s “Comply Connect” framework; and user activity monitoring. These capabilities will help the department drive a zero-trust cybersecurity model in which users must constantly verify their identities.

The U.S. Department of Defense’s work on zero trust has accelerated over the past 18 months, in part because of the COVID-19 pandemic and telecommuting, but also because it admits that its current cybersecurity systems are vulnerable to advanced hackers. Earlier this year, the Defense Information Systems Agency released a Zero Trust Reference Architecture to outline the department’s vision for a Zero Trust Network. In addition, the Office of the CIO is conducting a series of Zero Trust pilots.

But the department still needs funding to invest in new cybersecurity tools to use zero trust to protect its networks, Sherman said. His written testimony said the department needed “new investments” in software-defined environments, continuous multi-factor authentication, micro-segmentation, artificial intelligence and machine learning, and user behavior monitoring.

“What keeps me awake at night is the kind of cyber threat we’re seeing across the country — not just against the government, but against the private sector,” Sherman said. “That’s the main reason why I’m so committed to zero trust implementation in DoD. I want DoD to be a leader in this space.”

cloud computing

Sherman also highlighted several ongoing IT modernization initiatives across the Chief Information Officer (CIO) portfolio. In his opening remarks, he told lawmakers that the department plans to release a software modernization strategy “later this summer” focused on rapidly delivering resilient software using DevSecOps processes.

In its FY22 budget request, the DoD requested $50.6 billion for IT and cyber activities, up from $47.7 billion in FY21 and 4% higher than the amount enacted in FY21. The Defense Department is also asking for $1.48 billion for cloud computing needs, and Sherman told lawmakers that they will “need double-digit growth” in the coming years as cloud technology becomes more common in the sector.

Lawmakers are not pressuring him about the future of the joint enterprise defense infrastructure cloud, the multibillion-dollar cloud contract Microsoft won in October 2019. The deal has been embroiled in a lawsuit. Sherman reiterated comments made earlier this month by Deputy Defense Secretary Kathryn Hicks that the future of the JEDI cloud will be decided next month.

Sherman said in written testimony that “optimizing DoD’s cloud acquisitions remains challenging” because of the JEDI delay. He added that the military’s centralized cloud contracts, along with DISA’s milCloud 2.0, are helping “fill in the gaps while providing a leaner and more cost-effective approach to DoD cloud adoption.”

“We’re continuing to evaluate our next steps…what’s next or what we should do with the enterprise cloud,[一个]Urgent and unmet need,” Sherman said.

About Andrew Eversden

Andrew Eversden covers all of C4ISRNET’s defense techniques. He previously covered federal IT and cybersecurity for The Federal Times and The Fifth Domain, and was a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.

The Links:   LMG7400PLFC   1MB12400VD-170E