WASHINGTON — The Pentagon’s top IT official said Tuesday that he wants to make a concerted push to secure weapon systems and critical infrastructure from cybersecurity threats, adding that the effort requires higher coordination within the department.
“I really want to put our shoulder into weapons systems and critical infrastructure, recognizing that our adversaries are coming after those two,” John Sherman, the Defense Department’s acting chief information officer, said in congressional testimony. “Those are some risk areas ... because some of these programs were started in the ’90s, when cybersecurity was in a different place, [so now] we have a better way to come at this.”
Sherman’s testimony before the House Armed Services Committee’s Subcommittee on Cyber, Innovative Technologies, and Information Systems come after a series of high-profile hacks in the last six months, including a ransomware attack that affected the IT systems of a major oil pipeline and the SolarWinds breach that affected numerous government systems. In his testimony, he called the pipeline attack a “wakeup call.”
He told lawmakers that cybersecurity is his “top priority” but that the Office of the CIO must “do a better job” working with Cyber Command and the Defense Department’s undersecretary of defense for acquisition and sustainment, who is the chief weapons buyer. That coordination would involve a focus on the cybersecurity of weapons systems and industrial control systems, he said, adding that there are “seams” within the department that must be addressed. Industrial control systems are integrated software and hardware systems that control the networks of infrastructure such as power plants or pipelines.
“That’s the type of area ... where I think we’re carrying some risk, but I want to do a better job of working with our colleagues in the department,” said Sherman, who previously served as principal deputy CIO before taking over the acting duties.
The department’s recent fiscal 2022 budget request asked Congress for $5.6 billion for cybersecurity, a $200 million increase over last year’s request. According to Sherman’s written testimony, that money will be spent on “key” cybersecurity capabilities such as identity, credential and access management; endpoint security; the Navy’s “comply to connect” framework; and user-activity monitoring. Those capabilities would contribute to the department’s push toward a zero-trust cybersecurity model in which users have to continuously verify their identity.
The Defense Department’s work has accelerated on zero trust over the last 18 months, in part due to the COVID-19 pandemic and telework, but also because its acknowledgement that its current cybersecurity systems are vulnerable to advanced hackers. Earlier this year, the Defense Information Systems Agency released a zero-trust reference architecture to outline the department’s vision for zero-trust networks. Additionally, the Office of the CIO has a series of zero-trust pilots underway.
But the department still needs money to invest in new cybersecurity tools to secure its networks using zero trust, Sherman said. His written testimony stated the department needs “new investments” in software-defined environments, continuous multifactor authentication, micro-segmentation, artificial intelligence and machine learning, and user-behavior monitoring.
“What keeps me up at night are cyberthreats of the kind we’re seeing across the country — not only against the government, but against the private sector,” Sherman said. “This is the main reason I am so committed to moving out with a zero-trust implementation at the Department of Defense. I want DoD to be a leader in this space.”
Sherman also highlighted several ongoing IT modernization initiatives within the CIO portfolio. In his opening statement, he told lawmakers that the department plans to release a software modernization strategy “later this summer” focused on using the DevSecOps process to quickly deliver resilient software.
In its FY22 budget request, the Defense Department requested $50.6 billion for IT and cyber activities, up from $47.7 billion FY21 request and up 4 percent from the amount enacted for FY21. The DoD also asked for $1.48 billion for cloud computing needs, a number Sherman told lawmakers will “require double-digit growth” in future years as cloud technology becomes more prevalent in the department.
Lawmakers didn’t press him hard about the future of the Joint Enterprise Defense Infrastructure cloud, a multibillion cloud contract won by Microsoft in October 2019. The deal has been embroiled in a court battle. Sherman reiterated Deputy Defense Secretary Kathleen Hicks’ comments earlier this month that the JEDI cloud’s future will be decided in the next month.
In his written testimony, Sherman stated that “optimizing the Department’s cloud acquisitions remains challenging” due to the JEDI delay. He added that centralized cloud contracts from the military services along with DISA’s milCloud 2.0 are helping to “fill the gaps and provide a more streamlined and cost-effective approach to DoD cloud adoption” in the meantime.
“We’re continuing to assess our next steps vis a vis ... what comes next or what should we be doing with that enterprise cloud, [an] urgent and unmet need,” Sherman said.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.