Pentagon’s top IT official: More coordination needed on weapon systems and critical infrastructure cybersecurity

WASHINGTON (c4isrnet): The Pentagon’s top IT official said Tuesday that he wants to make a concerted push to secure weapon systems and critical infrastructure from cybersecurity threats, adding that the effort requires higher coordination within the department.

“I really want to put our shoulder into weapons systems and critical infrastructure, recognizing that our adversaries are coming after those two,” John Sherman, the Defense Department’s acting chief information officer, said in congressional testimony. “Those are some risk areas … because some of these programs were started in the ’90s, when cybersecurity was in a different place, [so now] we have a better way to come at this.”

Sherman’s testimony before the House Armed Services Committee’s Subcommittee on Cyber, Innovative Technologies, and Information Systems come after a series of high-profile hacks in the last six months, including a ransomware attack that affected the IT systems of a major oil pipeline and the SolarWinds breach that affected numerous government systems. In his testimony, he called the pipeline attack a “wakeup call.”

He told lawmakers that cybersecurity is his “top priority” but that the Office of the CIO must “do a better job” working with Cyber Command and the Defense Department’s undersecretary of defense for acquisition and sustainment, who is the chief weapons buyer. That coordination would involve a focus on the cybersecurity of weapons systems and industrial control systems, he said, adding that there are “seams” within the department that must be addressed. Industrial control systems are integrated software and hardware systems that control the networks of infrastructure such as power plants or pipelines.

“That’s the type of area … where I think we’re carrying some risk, but I want to do a better job of working with our colleagues in the department,” said Sherman, who previously served as principal deputy CIO before taking over the acting duties.

The department’s recent fiscal 2022 budget request asked Congress for $5.6 billion for cybersecurity, a $200 million increase over last year’s request. According to Sherman’s written testimony, that money will be spent on “key” cybersecurity capabilities such as identity, credential and access management; endpoint security; the Navy’s “comply to connect” framework; and user-activity monitoring. Those capabilities would contribute to the department’s push toward a zero-trust cybersecurity model in which users have to continuously verify their identity.

The Defense Department’s work has accelerated on zero trust over the last 18 months, in part due to the COVID-19 pandemic and telework, but also because its acknowledgement that its current cybersecurity systems are vulnerable to advanced hackers. Earlier this year, the Defense Information Systems Agency released a zero-trust reference architecture to outline the department’s vision for zero-trust networks. Additionally, the Office of the CIO has a series of zero-trust pilots underway.

But the department still needs money to invest in new cybersecurity tools to secure its networks using zero trust, Sherman said. His written testimony stated the department needs “new investments” in software-defined environments, continuous multifactor authentication, micro-segmentation, artificial intelligence and machine learning, and user-behavior monitoring.

“What keeps me up at night are cyberthreats of the kind we’re seeing across the country — not only against the government, but against the private sector,” Sherman said. “This is the main reason I am so committed to moving out with a zero-trust implementation at the Department of Defense. I want DoD to be a leader in this space.”