DoD CIO Terry Halvorson is talking tough on cyber, stating there is a need to make it cost prohibitive for hackers to conduct cyber attacks:
“We are on the wrong side of the cyber economic curve,” he said at the summit. “We need to raise barriers to attackers’ entry, making it more expensive to play.”
But how? The answer is multifold, but at least one aspect is automation, mechanizing some of the basic actions and response involved in cybersecurity maintenance, Halvorsen said.
Automation is key to turning around the economics and coping with the speed of the threat, he said at the summit and on the call.
“Automating eliminates the basic [adversarial] players, makes it so you have to raise your game to play,” Halvorsen said. “It reduces the benefit hackers will see and makes it more expensive for hackers to play.”
Another key part is establishing a pervasive, standard-operating-procedure culture of cybersecurity throughout entire enterprises and communities. It’s a worry that Halvorsen said keeps him up at night.
“How do I get a cyber discipline culture, how do I get a cyber economic culture and how do I get a cyber enterprise culture? I think those are the three things that if we got those, almost everything else comes after,” he said. “If I get to the cyber enterprise culture, I’ll start doing integrated, layered defenses, I’ll use automated tools — [joint regional security stacks are] the cornerstone for that — I’ll get the right level of accountability and I will understand the money.”
The only way DoD will get to where it needs to be in cyber security is through a cultural shift. Once senior DoD leaders recognize they are the biggest threat to the enterprise network, and thus stop asking for unnecessarily risky exceptions to DoD policy simply because they are who they are, then DoD may finally realize the type of discipline needed for the future.