“Having a top-secret clearance may no longer be the insignia of an intel worker, according to the intelligence community’s national counterintelligence chief.
“The IC’s [Intelligence Community] culture used to look at having a top-secret clearance as a “pass-fail” test to get in, [William] Evanina said, but that doesn’t mean employees can’t do their jobs from home — as long as it’s done securely.”
“We are just as successful, with some exceptions, with people working at home than we were before. And I think we have to be flexible and look at our private-sector model and maybe extrapolate that into our intelligence community,” National Counterintelligence and Security Center Director William Evanina said during a May 13 INSA virtual event.
Evanina said he could see not requiring clearances for some positions in the next few years due to teleworking abilities. “Just because you work in the IC, and just because you have a top-secret clearance, does that mean that everything you do is classified?”
“Right now, our communications from home to work is not safe, whether it’s in the private sector, especially not in the government,” he said. “We have to find effective security solutions to get to where we want to be.”
The government rolled out its much-criticized Trusted Workforce 2.0 framework in 2019, aiming to reduce the amount of time needed to clear new employees and re-investigate those moving across agencies.
The IC merged two hiring processes, for security clearances and employee suitability, into one earlier this year. The move was meant to clarify the role of human resource officers in ensuring candidates were right for job demands.
Evanina said the security clearance backlog has dropped to 180,000, with upwards of 50% more new applications coming in compared to 2019. That target beats the one set by the President’s Management Agenda at a 200,000 caseload of active investigations, and it is a significant dip from the reported 231,000 cases in January.”
“October 1 marked the start of National Cybersecurity Awareness Month. While the designation is a clever way to highlight the need for greater vigilance in how we use technology, it’s nonetheless ill-advised. Cybersecurity shouldn’t be treated as a flavor of the month. We need to focus on it every day.
Today’s cyberthreat environment is menacing, and it’s clear that we always need to be in a state of “high alert.” Hackers show no signs of retreat — and are becoming more aggressive and sophisticated. Earlier this year, hackers circulated a tranche of unique usernames and passwords numbering in the billions.
While security technology is much better than it was even just a few years ago, it nonetheless contains one major liability: it’s often only as good as the humans who use it.
Consider the disclosure in late July of a breach at Capital One, which affected about 100 million individuals in the United States. According to a Justice Department filing, a Seattle hacker, breached Capital One through a misconfigured firewall caused by human error. The hacker was able to exploit that misconfiguration.
In August, Facebook reported that it left a database containing 419 million records unprotected, without a password. As we examine the major breaches over the last several years — Target, Home Depot, Sony, Equifax — their initial point of vulnerability was access stemming from weak authentication; in other words, passwords that could be hacked.
These events, and others like them, are a reminder that while we can reduce and manage the number of cyber incidents, it’s unlikely we’re ever going to eliminate them. Hackers ultimately prey on the greatest vulnerability: human behavior.
That’s the backdrop to what the head of information security at a global infrastructure company recently told me. He said his top priority is not acquiring the most advanced cybersecurity technology. Instead, it is educating his workforce. He recognizes that employees are the most vulnerable access point for a breach — and also works with his human resources department to incorporate cybersecurity education into employee on-boarding.
That’s a smart strategy. Companies need to focus on human behavior and make it the foundation for a reliable, powerful culture of security. Doing so will lead to an increased return on investment in technology by developing an educated and informed workforce.
Companies also need to recognize that a key component of security is resilience — and resilience does not mean rebuilding what you had, but learning from experiences so that you build into the future. Natural disasters provide a useful point of comparison. While the United States often rebuilds to the same specs as pre-disaster, the Dutch rebuild to withstand an event greater than the one that wreaked havoc in the first place. A similar approach should be taken for cyber events. Our public and private technology infrastructure — the digital highways of commerce — should be developed to withstand anticipated future threats and events, based on what you have learned from your breach.
Similarly, companies should measure cybersecurity success not just by the attacks they block. They should follow the lead set by a global financial company, where the head of information security recently told me that her main metric is not what her company prevents, but how effectively the company responds after a breach has occurred. Similar to the impact of natural disasters, the effects of a breach can play out over days, weeks, months, and years. Therefore, the effectiveness of a company’s response can be the difference between a demonstration of failure and a demonstration of preparedness, resilience,and success.
The good news is that companies have a growing awareness of the importance of their cybersecurity. But there is a still a long way to go and a clear need to invest more in cybersecurity training, education, and awareness of employees. Companies need to ensure that everyone understands how one simple human mistake can put the entire company at risk. Creating a culture of security should be a top corporate priority because cybersecurity is critical to the mission of every company.
Human behavior is the foundation for security. That message needs to be delivered — and acted on — not just this month, but every month.”
Kiersten E. Todt is the managing director of The Cyber Readiness Institute and the former executive director of President Obama’s independent, bipartisan Commission on Enhancing National Cybersecurity. She has served in senior positions in the private sector and in the White House and U.S. Senate.
The cyber-triad, as described by DOD’s new cyber strategy.
“Formally titled the “Defense Innovation Unit X,” the small command will be led by a civilian with a military deputy and staffed by an elite team of active-duty, reserve and civilian personnel, the defense official said. It will probably be located at Moffett Airfield, a former Navy base, in Silicon Valley, according to a senior defense official.
That team will “scout for breakthrough and emerging technologies; and function as a local interface node for the rest of the department. Down the road, they could potentially help startups find new ways to work with DoD,” [Defense Secretary] Carter said.
On a trip to California’s Silicon Valley, Carter highlighted the risks of high-tech digital attacks, saying the Defense Department’s sophisticated weapons and the command-and-control networks that control them are “no good if they’ve been hacked.”
Similar ventures may follow in other areas with high-tech industries, including the New York City area, a senior defense official said.
Some reservists welcomed the proposal to ramp up the Pentagon’s presence in the nation’s technology hubs, which could help build up the cyber talent pool in the reserve components.
“There will be people who want to serve but they also don’t want to serve on active duty all the time. If the department is set up in areas where there are private-sector tech centers or academic tech centers, you are going to have a higher population of reservists who do this work already,” said Col. Mark DiTrolio, commander of the Army Reserve Information Operations Command, in an interview from his home in San Antonio.
The military services are about halfway toward their goal of creating an operational cyber force of about 6,200 troops by the end of next year. The long-term target size for the cyber force remains under discussion.
“We are still thinking about the right investment in the cyber mission force,” a senior defense official said. “We’ll be looking at that closely over the next year or so to see if we need increased investment in terms of personnel or technology.”
Carter’s trip to Silicon Valley — the first for a defense secretary in nearly 20 years — was the latest sign that he is making a focus on cyber capabilities central to his tenure in the military’s top civilian job.
After taking over the post in February, Carter spoke at U.S. Cyber Command headquarters in Maryland and suggested the command could someday break off to form a separate military service.
In March, he suggested a slate of far-reaching reforms to the military’s antiquated personnel system that could help DoD better compete with the private sector for the top talent in the cyber field.
The 33-page official cyber strategy that the Pentagon released April 23 was the first major update since 2011.
After his speech, Carter met with Facebook chief operating officer Cheryl Sandberg, followed by a visit to Andreessen Horowitz, a major Valley venture capitalist firm.”
“About $500 million in 2016 would go toward compensating computer security whizzes department wide, according to budget materials provided to Nextgov. Earlier this month, Defense received the green light to fast-track the hiring of 3,000 civilian cyber pros, in part, to staff the half-full Cyber Command.
“That should tell you something about how vital the mission is that you all have taken on, how important it is for the security of our country and, for that matter, the security of our economy and our people in their individual lives, because cyber touches all aspects of their lives,” Carter said at command headquarters in Fort Meade, Maryland.
Defensewide, cyber funding would reach $5.5 billion under the White House’s 2016 budget, with more than half of that sum going toward operations and maintenance.
But a significant amount would also be devoted to innovation. The “research, development, test and evaluation” request totals $1 billion. That’s more than double the amount slotted for procuring new tools.
The Air Force’s $1.4 billion piece of the 2016 cyber pie is significantly higher than the Army’s $1 billion portion. Air Force officials in recent weeks have voiced concerns that across the board spending cuts could hurt the branch’s technical supremacy, according to CNN.
“The option of not modernizing isn’t an option at all,” Gen. Mark Welsh, the Air Force’s chief of staff, told Senate lawmakers last month. “Air forces that fall behind the technology curve fail … And joint forces without the full breadth of air space and cyber capabilities that modern air power brings will lose.”
There has been some discussion of transitioning Cyber Command to its own military branch. But it won’t be in the immediate future.
Defense does not want “to take too many jumps, organizationally, at once,” Carter said last week. “We have given some thought to that. And for right now, we’re walking before we run,” but “that’s one of the futures that cyber might have.”
Currently, the goal is to prop up 133 mission forces teams, “with the majority achieving at least initial operational capability by the end of fiscal 2016,” Cyber Command chief Adm. Mike Rogers told House lawmakers earlier this month. “I have been working with the services to accelerate the work we are doing to keep on schedule, but I can promise you that will not be easy,” he said.
Any potential Cyber Command branch would be dwarfed by even the smallest of the armed services, like, for example, the $24 billion Marine Corps.”
Air Force Photo of a Combined Air Operations Center
A 6,000 PERSON CYBER COMMAND
“Air Force Maj. Gen. James Martin earlier this week said that increases in the service’s operations and maintenance budget would create a total of 39 cyber teams. Those teams will include “200 military personnel in cyber operations and cyber warfare positions to counter growing worldwide cyber threats,” according to budget documents.
“We’re stopping the downsizing,” Martin told reporters on Tuesday, when the budget was released. “Support of this budget request is important, so that we can eliminate some stress on the force, that we can make sure we’re adding back money for the force structure that we have, as well as some billets that support and strengthen the nuclear enterprise, as well as new missions such as the cyber teams.”
Specifically, the Air Force is asking for $7 million to develop the Cyber Command’s force planning model, to include 65 personnel.
Each command cyberwarrior will be part of a Cyber Mission Forces team. There are three varieties of these teams.
“National Mission Teams” that deflect foreign hackers aiming for U.S. critical infrastructure — such as, if China were to set its sights on the electric grid;
Cyber Protection Teams that defend the dot-mil domain, where military secrets are kept; and
Combat Mission teams that help geographically-located Combatant Command troops attack overseas adversaries, in, say, North Korea.
Roughly $3 million of the Air Force budget will help employ 28 information security pros to support development of the Combatant Command’s cyber force planning model.
The Navy wants $4 million to stand up nine Cyber Mission Forces Teams.
At the Army, $13 million, in part, would fund 22 employees to support “full spectrum cyber operations,” from defending military computers to striking adversary networks. Aside from paying salaries, the money would cover additional “additional training and certifications, life-cycle replacement and sustainment of existing equipment, and mission related travel,” budget documents state. ”
“As the US Army assembles a 6,000-person-strong cyber mission force in the next two years, officials are trying to determine the best way to attract, organize and maintain the cyber talent required to secure Defense Department networks.The creation of a new Army branch dedicated to cyber — the first new branch established in the service since Special Operations in 1987 — means that leaders are learning how to recruit, train, retain and equip cyber forces.
The Army has made significant strides in areas such as assessing aptitude and establishing training and doctrine, but the buildup is not without its challenges, Lt. Gen. Edward Cardon, commander of Army Cyber Command, told reporters at the AUSA conference.
“Once you get these highly trained professionals, how do you lead them; how do you develop their talent?” Cardon said. “It has a lot to do with retention, and one of the challenges we have is we’re constantly being pulled at by industry. So we have to have a way to manage [the workforce] the best we can for the defense of the country.”
A major part of that is forging better partnerships with the private sector, government’s primary competitor for cyber talent, Cardon said. To do that, the Army is looking at new ways of recruiting and hiring, which could mean changes to current policies.
“As I’ve traveled around to the different tech companies, a lot of them would like to work with us, but they don’t want a permanent job with us. So right now the personnel polices don’t really allow us to do that, they don’t allow us to bring somebody in for a year,” he said.
“I’ve talked to Amazon, Microsoft [and] Google about how they manage their workforce … you have to find people who can operate in this environment, which means as technology comes along, they study it all the time. They’re self-learning. You have to invest significant time to stay current in this profession.”
To find those people, it may mean looking beyond the traditional academic and military programs, and making changes to how the Army handles hiring and personnel, Cardon said. For example, Army officials are looking at ways to loosen restrictions on how soldiers and civilian employees can move between specialties and assignments, similar to what’s done in other disciplines.
But leaders are looking internally as well. Roughly 2,000 of the projected 6,000 cyber-focused personnel have been hired so far, and the Army also is hammering out its use of the National Guard and Reserves for cyber requirements, Cardon said.
“For the National Guard, the immediate need is the cyber mission force itself, and we’ve developed National Guard teams — 11 in the National Guard, 10 in the Army Reserve — and they’ll be trained to the same standard for the cyber mission force,” Cardon said”