How to recalibrate cyber strategy in the new administration

We're going to talk about the White House's recent priorities and, of course, emerging threats

My guest is Leslie Beavers. Leslie is Principal Deputy CIO for the..

...to kick things off for our conference today. J.D., thank you so much for the invitation and thanks to the viewers

We're really looking forward to today's discussion. So let's start with a bit of a big picture view, Leslie, if we can

Talk to me about the strategies you feel can really effectively be deployed to hardened networks and capabilities overall

Yeah, let me start out with a quick scene setter and chat about what the Department of Defense is trying to secure

And that is an entire United States military, but also with our allies and partners

And what that generates is a one-to-end interoperability challenge. Basically, it's an enormous scale

If you think about our traditional cybersecurity and how we do identity management

we do trust negotiations between different organizations. But when you take that to the one-to-end, it becomes absolutely untenable to do

So the digital foundation and creating a secure digital foundation is what is really important for the department to enable this resilience at the global scale

And when you think about a digital foundation, there are a few pieces to it

There's the digital data platform, the actual infrastructure that connects everything together

So that's the digital foundation, which includes services like Relay, Ingest, ytics, Apps Compute, access and distribution, that kind of thing

And then there's the actual test and the preparation, like a sandbox type of an environment that you can test things before you actually put them in the digital foundation

So various pieces of that are being built out in the department today And the role of the CIO within the department is really to synchronize and simplify the work that we doing across the department so that we end up with

enterprise services. It's kind of a misnomer to think of the DOD CIO as sitting on top of an

organization. We actually sit on top of an economy or a global ecosystem. And so

It's a challenge, and we know that our processes take too long, but we are making headway

Zero Trust, I think, has been foundational to that progress because that enables us to do that mesh environment, that multi-cloud mesh network that remains secure

We're very excited about the progress being made on the Zero Trust front

Across the department, I'm seeing a hybrid approach to its development and adoption

So some of it's going into commercial cloud, some of it's on-prem data, and some of it's going into private government cloud

And we're uplifting our capabilities. It just depends. Like I said, we're an ecosystem, so we need it all

And then the other piece is we don't fight alone. So our industrial base, it's equally important to secure our industrial base

And the progress that we're making on the cybersecurity maturity model certification, which is just making sure that we all dot our I's and cross our T's and do the security requirements and secure our own networks across the industrial base as well, are equally important

And I just like to highlight anytime I get a chance to talk to industry that the threat isn't just against the department

We are losing an estimated of $100 million a day in intellectual property and data to the adversaries out of our industrial base

So it's a colossal problem. But together, we can actually make a difference by securing our networks

Leslie, you mentioned zero trust, and that's a phrase increasingly of use to the broader cybersecurity space

I hoping you can drill down a little bit more on that even a broad strokes definition for some of our viewers who might be a bit unfamiliar either with the phrase zero trust or really how it fits into your overall goals for that digital foundation you just spoke about

Yes, happy to. So traditionally, we built networks and we secured at the perimeter and we weren't really paying attention to what was happening inside the network

Zero Trust is the pivot away from that to basically tagging the people, tagging the data, and doing the auditing so that you know what's going on in your network all the time

So nothing in the network is trusted. It's constant authentication. To that end, we stood up a zero trust portfolio management office led by Randy Resnick and identified 152 capabilities that when stitched together, give you ultimate kind of zero trust

We're in the department making sure that we get to a target level zero trust by 2020

And that's the 91 capabilities, kind of basic capabilities. And that includes things like your identity credential and access management, your auditing

There's a number of your policy enforcement points. There's a number of technical solutions that are identified

And you can't the important point that Randy always gets on me to double stomp is that you can't do those capabilities independently

They have to work together. Synchronization, like I said, it's an interoperability

And so when you bring all of those capabilities together, you then have a secure environment

And so if and when, because it's really kind of when somebody attacks and gets in, you identify them quickly and can take remediation steps

Leslie, what does success look like in terms of overall cyber resilience at the DOD

And how are you and your colleagues effectively able to measure progress in that effort

So cyber resilience means that you are able to maintain your connectivity in your communications and your information and your data through a detail kind of an environment so denied diminished intermittent or limited access And you also are maintaining the integrity of your environment so that you don have

bad actors in it. And to that end, the Zero Trust, the CMMC, and then we're also bringing our allies

and partners along. NATO is in the process of working on a zero trust policy as well. And we've

been coordinating closely with the five eyes, which are the US, the UK, Canada, New Zealand

and Australia to make sure, like I said, this is a giant cooperation problem. Our technology can do

this, but we as a department have to, and as a community have to decide to cooperate on the

policy and the engineering level. And then we also have to upgun our talent so that we have

expertise monitoring the network at the right level, because the expertise required to understand

what's happening on the wide area network is one thing. The expertise that's required to understand

and defend what's happening on your local area network is a little bit different. So we're also

So we've established the Cyber Accepted Service, which is a workflow, which is a workforce that is managed out of the CIO to define the roles and responsibilities and create credentialing for those roles and responsibilities so that we have the right expertise in the department that we can align at the right level

And now we're also looking at the cybersecurity service providers, the RMF process, which is the risk management framework on how we are defending the network

And when I think about this problem and securing the network, I'm thinking about identifying the vulnerabilities that exist and reducing the number of vulnerabilities and then also enabling the quick identification of new or zero day kind of vulnerabilities and taking immediate action on those as well

And that's a very cooperative process