Initiatives like Executive Order 14028 and CISA’s Binding Operational Directive 23-1 have heightened scrutiny and accountability for security leaders tasked with ensuring network security and compliance. This guidance helps government entities and private sector organizations navigate the threat landscape and improve their security posture. However, diverse directives from the White House, the National Security Agency (NSA), the Department of Homeland Security (DHS), the Securities and Exchange Commission (SEC), and other government entities create confusion over which guidance to follow.

Pentagon zero-trust office aims to start data tagging, labeling in ′24 By Molly Weisner

As we navigate the various federal guidelines, it’s important to remember that you’re not alone in this struggle. Security professionals across the board are grappling with legacy tools, siloed security applications, the time-consuming nature of data collection and analysis, and the scarcity of skilled security personnel. These are all factors that complicate efforts to gain comprehensive network insights and prove compliance.

So, where to begin?

Focus efforts on greatest benefit

Vulnerability management is complex and overwhelming for most agencies, often competing with a slew of information from various vendor sources. I like focusing on the basics. The National Vulnerability Database (NVD), the U.S. government’s repository of standards-based vulnerability management data, is one of the most important sources of truth worldwide and a good place to start.

Maintained by the National Institute of Standards and Technology and sponsored by DHS’s National Cybersecurity and Communications Integration Center, the NVD provides detailed analysis and scoring of Common Vulnerabilities and Exposures (CVEs) to help organizations prioritize their response to vulnerabilities. They also publish the Known Exploited Vulnerabilities Catalog which is a great supplement. In 2024 NIST has already issued nearly 35,000 alerts; agencies need to understand which CVEs are relevant to their network and their degree of exposure.

Private sector CISOs and federal agencies face the dilemma of complying with complex regulatory requirements within limited timeframes and budgets. Executive orders, for instance, are often issued without fiscal budget backing, forcing security leaders to assess their existing systems and contracts to determine if current infrastructure investments will support the new requirements and identify which legacy systems must be updated or removed from the network.

Additionally, security leaders must evaluate which contract terms may help or hinder the evolution of the network to meet new regulatory compliance standards.

The list of considerations goes on, but the point is that budgets are capped, and contracts can constrain the timing and degree of progress. It’s easy to get distracted by all the noise around new standards and guidelines but stay focused on the regulations that matter to your organization.

Adopt multifunctional technologies

While a private sector organization typically operates one network, the federal government operates multiple. Some examples include unclassified, secret, and top-secret networks, each with its own rules and network challenges. Users often have to contend with challenging military operating environments and low bandwidth connections. In addition, regardless of the challenges, each network must continue to comply with cybersecurity regulations.

The diverse nature of these environments means that security teams must possess expertise across multiple platforms. The scarcity of skilled security personnel exacerbates this challenge, as organizations struggle to find and retain professionals with the necessary knowledge and experience.

To expedite compliance efforts, utilize solutions that provide greater network visibility and are familiar to a broader community of security professionals. Also, adopt multifaceted, versatile technologies and rely less on bespoke solutions. This approach provides more flexibility and scalability to meet evolving guidelines. For example, consider the benefits of automated security and compliance tools. These tools can significantly reduce the time and effort required for data collection and analysis by automating routine tasks and providing centralized visibility into the network.

Additionally, agencies implementing a zero trust architecture require continuous verification of user and device identities. This approach minimizes the attack surface and enhances the overall security posture. By integrating zero trust principles with automated tools, organizations can achieve a more resilient and compliant security framework.

Efficient evidence collection

The shift toward hybrid and multi-cloud environments adds layers of complexity to cybersecurity and compliance efforts. These geographically dispersed systems make it difficult to gain a holistic view of the entire network. This forces security teams to manually aggregate and correlate data from various sources, which is time-consuming and prone to errors. It also hinders the ability to detect and respond to threats promptly, leaving networks vulnerable.

Evidence collection solves this challenge as it requires a comprehensive model of the entire network infrastructure. With end-to-end visibility of the network, even in multi-cloud environments, and capabilities for historical data analysis, path analysis, and compliance monitoring, organizations can more efficiently achieve and maintain a strong security posture and compliance, even with evolving standards.

Behavioral analysis and attack surface management are key components of an effective evidence collection strategy. These capabilities enable security professionals to proactively verify that network behavior aligns with intended configurations and identify anomalies. Additionally, security professionals can simulate the network environment and conduct detailed analysis without impacting live operations. In this controlled setting, security professionals can identify potential vulnerabilities and remediate issues faster.

Staff retention, collaboration

Evolving security guidelines are creating increased demand for cybersecurity professionals. However, the cybersecurity industry is concurrently grappling with a skills gap, where there are more job openings than qualified candidates available to fill them. To address this issue, organizations should prioritize investments in training and development programs. By enhancing the skills of existing staff and fostering a culture of continuous learning, organizations can cultivate a more adept and knowledgeable security team while retaining valuable talent.

Retaining security professionals is crucial for organizations to achieve compliance. These professionals develop deep expertise and knowledge of the organization’s systems and processes over time. This institutional knowledge is invaluable as experienced security staff can oversee the continuous implementation and management of security policies and practices necessary for ongoing compliance. Cross-functional software systems can improve collaboration by providing the entire organization access to accurate information about the hybrid multi-cloud environment.

Retaining staff also contributes to efficient audits and assessments. They are well-versed in the organization’s compliance history and processes, enabling them to prepare effectively for audits and respond promptly to assessment findings.

Additionally, collaboration plays a crucial role in navigating the complexities of achieving, maintaining, and proving compliance. Partnering with security professionals in other departments or across entities can break down silos and promote the sharing of resources and knowledge. A collaborative approach can facilitate the adoption of similar technologies and encourage transparency in sharing successful approaches and solutions. By avoiding redundant efforts and isolated strategies, departments and organizations can collectively navigate cybersecurity and compliance challenges.

The complexities of federal cybersecurity guidance necessitate a multifaceted approach to achieving compliance. Understanding what regulations are applicable and implementing multifaceted technologies and frameworks, such as automated tools and a zero trust architecture, enables organizations to adapt to evolving standards more easily. Additionally, prioritizing evidence collection helps organizations gain end-to-end visibility, compliance verification, and network monitoring for vulnerabilities. Amidst these changes, retaining security professionals is critical for developing effective strategies and leveraging institutional knowledge.

These four strategies empower federal and private sector entities to enhance their security posture swiftly, achieve compliance efficiently, and fortify their networks against emerging threats.

Matt Honea is Head of Security and Compliance for Forward Networks.

“I’m happy to share that I’m starting a new position as Acting Chief Information Officer at United States Department of Defense,” Beavers wrote in July on LinkedIn. The department’s website now lists her as acting CIO.

A spokesperson for the Pentagon did not immediately return a request for comment.

As the primary IT adviser to the defense secretary, Beavers is taking over from former CIO John Sherman, who stepped down in June to take a position outside government as dean of the Bush School of Government and Public Service at Texas A&M University.

Previously serving as the principal deputy CIO at the Pentagon, Beavers is well acquainted with the Defense Department’s many ongoing initiatives meant to secure the defense-industrial base, develop 5G technologies and explore artificial intelligence.

Since she came to the department, Beavers has worked on landmark endeavors like Project Herald, the Pentagon’s plan to transform digital intelligence sharing, and Fulcrum, the recently announced IT transformation strategy. The latter is where she is most focused now on building momentum, she said in her LinkedIn post.

“[That] gives you tangible steps to turn that strategic vision into an operational reality,” Beavers said at the 2024 TechNet Cyber conference in Baltimore, which took place June 25-27. “It’ll be followed by an implementation plan, which will give some more information.”

The former Air Force intelligence officer and retired brigadier general comes to the position at a time when the DOD is beginning to put many of its theories around zero trust, cloud computing, machine learning and cybersecurity into practice.

The department for several years now released guidance thanks to the help of working groups and testing approaches via pilots. Now, officials say, it’s in a position to actually phase in solutions. The department has a goal to come up with a data tagging and labeling strategy by the end of the calendar year.

Beavers also said at TechNet Cyber that she anticipates growth in the Joint Warfighting Cloud Capability procurement vehicle as other contracts begin to expire.

Pentagon zero-trust office aims to start data tagging, labeling in ′24

At the same time, challenges persist for Beavers and her office, including cyber workforce shortages, unpredictable funding and technical debt that separates the services from the modern approaches they’re after.

All the while, China looms as a major U.S. adversary on the digital battlefield, and attacks on public infrastructure underscore the urgency of predicting and intercepting cyberthreats.

The DOD is seeking $14.5 billion in fiscal 2025 for its cyberspace programs. According to the DOD’s website, Kevin Mulvihill is the new acting principal deputy CIO.

An FBI investigation revealed that Teixeira, a 22-year-old who ran a server on Discord called “Thug Shaker Central,” spent much of his life online, talking primarily with other young men via message, video calls and voice chats. He chatted about guns and military gear, threatened his school, made racist and antisemitic jokes, traded conspiracy theories, discussed antigovernment sentiments, and in a bid to show off, shared some of the military’s most closely guarded secrets about the Russia-Ukraine war and the Middle East.

By the time the young airman was arrested in 2023, media scholar PS Berge had been studying Discord and its users for three years and had created an online consortium of other academic researchers who were doing the same. That an intelligence leak occurred on the site, creating a national security incident, didn’t come as a shock to her.

“My response was, ‘Of course. Of course this would happen on Discord,’” Berge said. “Because on a platform like this, you share everything with your people. Everything about your life. So, why not share national security secrets?”

Teixeira pleaded guilty in March to six counts of willful retention and transmission of national defense information. His sentencing is scheduled for September, and prosecutors are asking that he serve between 11 and 17 years in prison.

The same month Teixeira agreed to a plea deal, the FBI revealed it had investigated another service member in 2022 for leaking information on Discord.

Former Air Force Staff Sgt. Jason Gray, who served as a cyber analyst at Joint Base Elmendorf-Richardson, Alaska, admitted to running a Facebook group for followers of Boogaloo, a loosely organized, antigovernment movement that advocates for a second Civil War. Gray was disgruntled with his military career, and he discussed his dissatisfaction with the U.S. government in several Discord channels created for the Boogaloo movement, according to a 2022 FBI affidavit that was unsealed in March.

Gray, who used the account name LazyAirmen#7460, was accused of posting a classified image in a private Discord channel that he “likely obtained” from his access to National Security Agency intelligence, the affidavit states.

Investigators said the image could’ve been shared “in furtherance of the Boogaloo ideology,” but didn’t elaborate on the image’s details. It’s uncertain whether the FBI is still investigating the potential leak. But while searching Gray’s electronic devices for evidence of an intelligence breach, authorities discovered hundreds of images of child pornography. Gray is currently serving five years in federal prison on multiple child pornography charges.

Oversharing is a hallmark of Discord, an online world where members of certain channels talk all day, every day, and even fall asleep together on voice calls, said Megan Squire, a computer scientist and deputy director for data analytics at the Southern Poverty Law Center.

People who study the platform agree that it’s not inherently bad — it’s used by millions of gamers, students, teachers, professionals, hobbyists and members of the military community to communicate and socialize. However, extremists have hijacked a part of the platform to radicalize and recruit others to their causes, said Jakob Guhl, senior manager for policy and research at the Institute for Strategic Dialogue.

Following the leak of national security secrets and other high-profile, nefarious uses of the platform in recent years, researchers are grappling with what to think of the platform’s small but headline-grabbing dark side, and many disagree on whether Discord as a company is doing enough to root out bad actors.

“It’s always a bit difficult to strike the right tone between not scaring people off the platform, because the majority of users are completely fine, but also highlighting that there is an actual issue of radicalization,” Guhl said. “It’s not the biggest or most offending platform, but it definitely plays a crucial role among this network.”

‘Not inherently evil’

The National Consortium for the Study of Terrorism and Responses to Terrorism, known as START, studied decades of violent extremist attacks and found a military background to be the most commonly shared characteristic among those who committed or plotted mass casualty attacks from 1990 through 2022, more so than criminal histories or mental health problems.

Researchers from START said the study revealed why extremist groups tend to focus recruitment efforts toward people with military service records: Even a small number of them can have an outsized impact inside extremist movements.

While such recruitment occurs on Discord, Guhl, Berge and Squire agreed that the mere presence of service members and veterans on the platform isn’t a cause for concern.

“It’s a popular platform and not inherently evil,” Squire said. “I’d be much more concerned about military folks on 4chan, Telegram, places like that. Nothing good is happening on those platforms, but Discord could be useful.”

In fact, Berge said, it can be a valuable forum for marginalized people to foster a sense of community. On its “about” page, Discord describes its mission as one that helps users find a sense of belonging.

“Discord is about giving people the power to create space to find belonging in their lives,” the company’s mission statement reads. “We want to make it easier for you to talk regularly with the people you care about. We want you to build genuine relationships with your friends and communities close to home or around the world.”

That’s what the veterans group Frost Call is doing on the platform. The nonprofit encourages veterans and service members to stay connected through gaming, one of its founders told Military Times last year. As of June, it boasted 390 members.

“When we founded Frost Call, we built an organization around this idea of bringing veterans together, helping to improve camaraderie that’s missing from military service,” Marine Corps veteran Wesley Sanders said last year. “It serves an enormous mental health need, but also ... an existential need for a lot of veterans.”

Moreover, when new users join Discord, extremist elements of the platform are not easily visible.

Discord is made up of millions of servers centered on various topics. Users can join up to 100 servers, and each server has numerous text, voice and video channels. When a new user creates an account and searches servers to join, the platform will suggest “its most popular, most successful, public-facing communities,” rather than any disquieting, invite-only communities, Berge said.

“If you are a standard user, and if you’re signing in to Discord for your general interests — maybe you’re looking for fellow students or fellow veterans — 90% of the time, you’re not going to accidentally stumble upon an extremist group,” she said. “They actually go through a lot of effort to make these spaces insulated, to make them difficult to find.”

When using Disboard, a third-party search platform for Discord servers, prompts such as “Nazi” or “white supremacist” won’t elicit results like they used to, Berge said. In a 2021 study, she found thousands of Discord servers that marketed themselves on Disboard as hateful and Nazi-affiliated spaces.

“You used to be able to search for those terms and find communities. It was horrifying,” Berge said. “Those servers still exist, but they’ve changed the ways they’re identified, and in some cases, we know that high-profile, toxic communities have been shut down.”

Extremists find a foothold

Founders Jason Citron and Stan Vishnevskiy created Discord in 2015 as a way to allow friends around the world to communicate while playing video games online. Its popularity exploded during the Covid-19 pandemic, when lockdowns went into effect and many people became more isolated than ever before.

Just two years after it launched, Discord gained notoriety as the platform of choice for facilitators of the 2017 “Unite the Right” rally in Charlottesville, Virginia. Organizers, including some veterans, used Discord to share propaganda and coordinate the protest, which turned deadly. James Fields was convicted of killing Heather Heyer when he drove his car into a group of counterprotesters. Fields had joined the Army in 2015 but was separated quickly because of a cited lack of motivation and failure to train.

In 2022, Discord made headlines again after a mass shooting at an Independence Day parade in Highland Park, Illinois, where seven people were killed and dozens more injured. The suspected shooter ran his own Discord server called “SS,” where he complained about “commies,” short for “communists,” according to posts archived by the nonprofit website Unicorn Riot.

That same year, an 18-year-old white gunman killed 10 Black people at a supermarket in Buffalo, New York. The gunman, Payton Gendron, spent months writing plans for the attack in a diary he kept on a private Discord server, visible only to him. About 30 minutes before the attack, Gendron sent out invitations for others to view the diary, and 15 people accessed it, according to Discord.

The platform again faced scrutiny following Teixeira’s leak of national security secrets.

“It’s periodic. Every couple of years, it seems like there’s something,” Squire said. “There are other platforms that are worse, but Discord keeps coming up over and over again.”

Research institutions such as the Institute for Strategic Dialogue found that Discord serves as a hub for socializing and community-building across far-right groups, including Catholic extremists, the white supremacist Atomwaffen Division and the antigovernment Boogaloo movement.

Extremist groups value the platform’s layers of privacy and anonymity, as well as its chat and video functions and collaborative nature, Guhl said. Berge described it as a walled garden, or an online environment where user access to content can be controlled. Servers come with the capability to assign hierarchy to different members and allow some members to access information that others can’t, the researchers said.

“In, say, a Twitter direct-messaging thread or Facebook DM, you don’t really have levels and hierarchies,” Squire said. “Discord really allows you to have more fine-grained ranking structures.”

Another reason for the prevalence of extremists on the platform stems from its roots in gaming, Guhl surmised.

Rachel Kowert, a globally recognized researcher on gaming and mental health, has spent five years researching extremism in video game communities. Though gaming itself is a powerful tool for connection and growth, extreme and hateful ideologies are now commonplace in those spaces, Kowert said.

“If you’re spending a lot of time in the social or gaming spaces where misogyny is commonplace, that can in turn start to internalize in the way you see the world and interact in it,” Kowert said.

Fighting a dark legacy

The existence of far-right groups on Discord — and the high-profile instances of extremism on the platform in the past several years — has spawned its “extremist legacy,” one from which it’s now trying hard to distance itself, said Berge.

Discord said it removed more than 2,000 far-right-affiliated servers following the “Unite the Right” rally. After the Buffalo killings, it removed Gendron’s server and worked to prevent the spread of content related to the attack, the company said. At that point, Discord agreed it “must do more to remove hate and violent extremism.”

“We created Discord to be a place for people to find belonging, and hate and violence are in direct opposition to our mission,” the company said in a statement at the time. “We take our commitment to these principles seriously and will continue to invest in and deploy resources.”

Earlier this year, the company reported that 15% of its staff works on its user safety team, which cracks down on harassment, hateful conduct, inappropriate contact, violent and abusive imagery, violent extremism, misinformation, spam, fraud, scams and other illegal behavior.

During the investigations into Teixeira and Jason Gray, Discord officials immediately cooperated with law enforcement, a company spokesperson told Military Times. And in recent months, Discord has leaned on machine-learning technology to moderate content.

“We expressly prohibit using Discord for illegal activity, which includes the unauthorized disclosure of classified documents,” the spokesperson said.

The company publishes reports each quarter showing actions taken against various accounts and servers. The latest report, published in January, says Discord disabled 6,109 accounts and removed 627 servers that espoused violent extremism during the last few months of 2023.

Squire and Guhl agreed that Discord is “pretty good” at responding to extremist content. Guhl credited the company for including extremism and hate speech in its community guidelines, as well as for deleting servers on a regular basis that breach its terms of service. Discord also created a channel where Squire could flag questionable content on the platform, and the company has been receptive to the concerns she’s raised, she said.

“I credit where credit is due, and I have to give them credit for that,” Squire said. “I think it’s taken seriously, and there are other platforms that I could not say that about.”

Extremists are ‘absolutely still there’

Berge applauded Discord for ramping up the technology behind its moderation and for introducing IP bans, which restrict a device from accessing the platform, rather than just an account. Still, she sees room for improvement.

Discord should place more emphasis on educating moderators and users about how to recognize when someone is being radicalized and pulled into an extremist space, Berge said. She also criticized the platform for disbanding a program in 2023 that included hundreds of volunteer moderators.

“It wasn’t Discord’s automated flagging systems that caught national security secrets being leaked by Jack Teixeira. It took other users and community moderators digging into it and someone finally reporting it,” Berge said. “Elevating people and giving them tools to moderate is absolutely central to protecting the platform, and that’s one area where I think they’re taking a step back.”

Berge is still researching communities on Discord, four years after she first uncovered a network of white supremacists using the platform as a recruitment ground. Despite its community guidelines and efforts to remove offending servers and accounts, Discord still serves as a meeting place for pockets of extremism.

“They’re harder to find, but they are absolutely still here. We’re still finding them,” Berge said. “It is still one of the most popular spaces for people to congregate, share and be in community with each other, for better or for worse.”

Discord remains the “platform of choice” for some hate groups, noted Squire, who described the company’s fight against extremists as playing whack-a-mole: As soon as one is removed, another pops up. A lack of institutional knowledge among far-right extremist groups is partly to blame, she said.

“Everybody’s always fresh, and they don’t have any structure for teaching one another and learning from mistakes of the past,” Squire said. “That’s convenient for us, because as we keep amassing knowledge, they make the mistake of reusing the technology that’s most convenient, rather than being strategic.”

This story was produced in partnership with Military Veterans in Journalism. Please send tips to MVJ-Tips@militarytimes.com.

The journalists reported seeing nothing wrong on the flight deck, which was precisely the point of Hill’s invitation. Ike and its crew remained on station, with no hole in the deck.

Two weeks earlier, a spokesman for Yemen’s Houthi rebel movement announced that the rebels had struck the Eisenhower with a barrage of missiles to punish the United States for its support of Israel in its war against Hamas.

On X (formerly Twitter), Houthi supporters shared a video allegedly showing a large crater at the forward end of the Eisenhower’s flight deck. Other accounts posted a different image of a fiery blast aboard the ship.

The purported evidence of a strike spread quickly across Chinese and Russian social media platforms, thanks in part to the efforts of Russian sites with a reputation in the West for spreading disinformation.

Despite false Houthi claims, the Ike aircraft carrier fights on

The Houthis’ online conjuring of a successful attack on Ike that never happened complements their months-long campaign to disrupt commercial shipping in the Red Sea that has sunk commercial vessels and injured civilian mariners.

And while the U.S. military and allies regularly hit back with airstrikes against Houthi missile launchers and other assets in Yemen, the Pentagon is less prepared to defend against the online lies and disinformation that the Houthis are spreading.

In the instance of the false Ike attack, Capt. Hill took matters into his own hands, leveraging his 86,000 followers on X. The day after the false claims emerged, Hill began to post videos and still images showing normal operations aboard his ship, including a plane landing on the flight deck and trays of muffins and cinnamon buns fresh from the oven in the ship’s bakery.

I infiltrated the bake shop because I smelled something interesting from way down the p-way. pic.twitter.com/8BkWFdI5LU

— Chowdah Hill (@ChowdahHill) May 31, 2024

Meanwhile, independent analysts exposed how the Houthis generated their false evidence of a missile strike on the Eisenhower.

An Israeli analyst demonstrated that the supposed photograph of a crater on the carrier’s flight deck consisted of a stock image of a hole superimposed on an overhead shot of the Eisenhower taken from satellite imagery dated almost a year before the alleged strike.

This is a photoshopped satellite image of the USS Eisenhower docked at Pier 12 at the Naval Station Norfolk in Virginia, taken on April 10th, 2023.
Additionally, here is the Shutterstock image used for the "impact". https://t.co/CWagV062Xl pic.twitter.com/eqYsb04WVM

— Tal Hagin (@talhagin) June 4, 2024

The fictional attack on Ike did not come as a surprise to anyone tracking Houthi disinformation efforts. In an ironic example from March, a Telegram channel and a pro-Houthi website shared an AI-generated image of a burning vessel they identified as the Pinocchio, an actual commercial ship the Houthis had targeted but missed.

The Houthis’ supporters had pulled their supposed evidence from a website that shared free stock images. However, no one from the Pentagon officially debunked this image as the Israeli analyst did for the fake photos of Ike.

In addition to these forgeries, pro-Houthi accounts have posted actual images of commercial vessels in flames, claiming the destruction resulted from Houthi attacks.

Yet in those cases, one image showed a burning ship on the Black Sea while another showed events that took place off the coast of Sri Lanka. Pro-Houthi posters even attempted to portray a blurry photo of a distant volcano as a successful strike on an Israeli ship.

This deluge of deceptively labeled images spread was also met with crickets from the Pentagon.

The U.S. military appears to grasp the need to counter disinformation spread by the Houthis and other regional adversaries. In February, the Joint Maritime Information Center, or JMIC, launched its efforts to provide accurate information to shipping companies about Houthi strikes, both real and imagined.

The JMIC operates under the umbrella of the Combined Maritime Forces – a naval partnership of 44 nations under the command of the top U.S. admiral in the region, who also serves as commander of U.S. 5th Fleet.

This is a start, but the Navy has yet to show that it can debunk false information as quickly as the Houthis post it online.

It is fortunate that an Israeli civilian had the skill and commitment necessary to expose the alleged crater aboard the Eisenhower as a work of photoshopping. He posted his conclusions on X four days after the Houthis publicized the supposed attack. Ideally, the Navy itself should be prepared to debunk such propaganda as soon as it appears.

Standing up this kind of capability should be a priority for the JMIC, which could include such efforts in its existing weekly updates.

It is important to act now before the Houthis’ disinformation apparatus becomes more sophisticated. Already, one of its supporters’ fake images of a burning ship garnered 850,000 views on X.

Moreover, the challenge is not limited to the Red Sea or the Middle East. Military forces in every command should have public affairs and open-source intelligence personnel working together to debunk false and exaggerated claims of enemy success on the battlefield.

Max Lesser is senior analyst on emerging threats at The Foundation for the Defense of Democracies, a non-profit, non-partisan think tank.

Airmen and guardians will soon be able to take advantage of the Hypori Halo Workspace Anywhere program that grants access to government apps, email, NIPRNet, sensitive data, and CAC-enabled websites via personal devices, including a phone or tablet, whether they’re in the office or not.

A spokesperson for Hypori did not give an exact date for enrollment, but told C4ISRNET it’s still on track to begin this summer.

“The Air Force and Space Force are actually already using our platform,” said Jared Shepard, CEO and president of Hypori, at the TechNet Cyber conference presented by the Armed Forces Communications & Electronics Association International late last month in Baltimore. “Now, they’re going to scale.”

Capitalizing on the need for integrated communications and the pandemic-fueled remote work environment, the Army, including its Reserve and Guard components, already began transitioning service members toward Halo, which as of June 11 became the only way Army.mil users can access Army 365 services from a personal device. Shepard said at the conference that 50,000 Army enrollees are using the service since that BYOD effort began as a pilot in 2022. Hypori was also awarded a contract by the National Geospatial-Intelligence Agency on June 6 to give a third of its workforce remote access to secure networks.

“[BYOD] is a top priority for us, and it is a game changer because when our soldiers and airmen are not at the armory, they have to be connected in a secure way,” said Ken McNeill, chief information officer of the National Guard Bureau, in a statement February.

Reservists and part-time members of the services especially have limited access to base networks, so giving them the flexibility to complete work from wherever they are will be a boon to the organization, leaders have said.

“In our dynamic environment, the Department of the Air Force is committed to providing user-friendly enterprise solutions which empower the force to work securely in a wide range of operational contexts,” said said Air Force Chief Information Officer Venice Goodwine in a statement in March.

The technology also eliminates the need to carry two devices while ensuring their government and personal data are kept separate to minimize liability. The idea of “no data at rest” means there is no risk of compromise if the enrolled devices are stolen or lost, and it ensures that personal information stored on that device is not accessible by the government.

The technology, which also vets users, is also compliant with White House orders that ban TikTok on government devices due to concerns that the social media platform’s Chinese-based parent company, ByteDance, would get access to sensitive data.

“Industry has a responsibility that if it’s doing work for the Department of Defense, that it protects that data,” Shepard said.

At the TechNet Cyber conference presented by the Armed Forces Communications & Electronics Association International in Baltimore last month, Randy Resnick, director of the Zero Trust Portfolio Management Office, said tagging and labeling, the practice of assigning metadata and identifiers to pieces of data, has been a long-term challenge for the department.

“They’ve been apparently working on this for 12 or more years —15 years — and I think it’s time enough to do something,” he said.

By way of an update on these efforts, Resnick said he approved three pilot programs in conjunction with the U.S. Department of Defense Chief Data and Artificial Intelligence Office and the Department of Homeland Security to develop a plan that would allow for all the necessary conversions and interpretations to process any data tagging and labeling standard in an understandable,repeatable way.

Pentagon’s AI chief says data labeling is key to win race with China

The goal is to have a successful demo of a schema by the end of the calendar year. Resnick also set a deadline of October for an internal working group to brief his office on a solution, even a partial one.

“We’re not looking for perfection,” he said at TechNet. “We have to start implementing something, and then it’ll grow over time as people agree to more tags and more labels. It’s got to be flexible enough to allow for growth.”

In a January study by Defense Innovation Board, researchers found “data access remains the central enterprise-level obstacle to the sharing and use of data for the warfighter.” Part of that is because military departments are “haphazardly” placing data leaders throughout the organization while top-level tech leaders are struggling to enforce their position as a unifier. Other persistent issues like a lack of uniform guidance, sustained funding, workforce gaps and technical silos also make progress on broader zero-trust difficult.

For now, there remain roadblocks that separate the DoD from the data economy it wants, but Resnick is realistic about these challenges and said a solution in development is better than nothing at all.

“That’s the type of solution that I personally am looking for, because that’s what the department needs,” he said.

DIU, whose mission is to help the U.S. Department of Defense better leverage commercial technology, worked with two computing firms on the 18-month effort: Rescale, headquartered in San Francisco, and Parallel Works, based out of Chicago.

The companies partnered with DoD’s High Performance Computing Modernization Program, which is working to make decision-making tools enabled by supercomputers more accessible across the department — from researchers and acquisition officials to operators in the field.

The military uses supercomputers to quickly process large amounts of data that can be used to inform decisions or simulate complex scenarios. For example, a unit could use high-performance computing to understand how the weather forecast might impact a planned ISR operation. Or an engineer designing lighter body armor for soldiers could use it to research materials.

The Pentagon relies largely on physical computers — which are expensive to buy and maintain — to perform this work. Through the DIU effort, Rescale and Parallel Works demonstrated that they could provide these computing tools on the cloud, which means users don’t have to have access to a physical computer to take advantage of the capability.

“Researchers are [now] able to access cloud resources when appropriate to augment their work at on-premises centers,” Benjamin Parsons, chief technology officer for the High Performance Computing Modernization Program, said in a June 27 statement. “This has given them access to a wider variety of hardware, and the ability to scale resources beyond what is currently possible, all within one secure, easy to use, environment.”

Both firms are poised to receive production contracts later this year to scale their high-computing platforms to more users.

Matt McKee, Rescale’s chief operating officer, told C4ISRNET in a July 3 interview that cloud-based computing platforms have played a key role in the private sectors, which have used these tools to significantly reduce engineering cycle times for new product releases.

Those capabilities, he said, could change the way DoD develops, tests and fields new systems over the next three to five years.

“You’re seeing that type of thing reverberating through the private sector industry — so, how do we make sure that the U.S. government also has that agility,” he said. “We need to be able to incorporate everything new that is available to us and put all those resources to bear.”

Well known examples include the Human Genome Project, space exploration, Silicon Valley, and biomedical research. Further, in the ever-evolving landscape of science and innovation, the U.S. stands as a beacon for global talent, attracting brilliant minds to its research institutions and universities. This influx of international scientists and engineers has undeniably enriched the nation’s scientific endeavors, leading to countless breakthrough discoveries, transformative innovations, and advancements.

However, amidst the celebration of diversity and collaboration lies a growing concern – the need to balance the openness of the U.S. research enterprise and maintain the nation’s competitive edge on the global stage with the imperative to safeguard national security interests.

Revelations and discussions from this year, as articulated in a GAO Report on Research Security released in January 2024; in remarks made by the Director of National Intelligence, Avril Haines, in her March 2024 testimony before the Senate Select Committee on Intelligence; and in widely reported revelations by the FBI, have highlighted the potential risks associated with foreign researchers working on sensitive projects.

Now, especially as we approach the election, the conversation has turned to how best to protect intellectual property and prevent the unwanted compromise and nefarious exploitation of critical technology by foreign adversaries and other bad actors, including terrorist groups and those that mean to do harm to our national well being. While this is not an easy tension to navigate, it is one we can indeed manage consistent with our national values as we continue to forge ahead with advanced scientific research and technology development to the benefit of all people, everywhere.

At the heart of the matter lies the challenge of finding a solution that does not stifle the flow of talent while ensuring that the nation’s interests are protected. This delicate balance requires a departure from conventional approaches to risk assessment, which often rely on simplistic country-based criteria or blanket restrictions that paint various foreign researchers with the same brush of suspicion.

Instead, what is needed is a nuanced and agile approach – one that leverages technology to identify and mitigate potential risks swiftly and effectively and supplements the work that teams focused on innovation and national security are already doing. Enter the concept of a triage tool – a sophisticated mechanism that incorporates AI capabilities designed to assess the risk posed by international scientists and engineers while expediting the entry of low-risk individuals into the U.S. research ecosystem.

The ideal triage tool, tied to policy that favors the fast tracking of the many scientists who will provide valuable contributions without jeopardizing national security, would possess several key attributes: it must operate without bias, respecting the diversity of backgrounds and nationalities among applicants; it should be automated, ensuring swift processing and scalability without compromising accuracy; and it must prioritize privacy, abstaining from intrusive data collection methods such as biometrics or personally identifiable information.

Furthermore, the tool should complement existing vetting processes, seamlessly integrating into the fabric of U.S. research institutions and agencies. It should be cost-effective, offering significant savings in both time and resources while delivering reliable results with minimal false positives or negatives.

By implementing such a tool, the U.S. can achieve a delicate balance between fostering international collaboration and protecting its national security interests and by establishing robust mechanisms for protecting sensitive information, the U.S. can bolster trust and encourage fruitful collaboration between domestic and international partners. This would not only enhance the experience of foreign researchers seeking opportunities in the U.S. but also provide reassurance to domestic institutions and agencies tasked with safeguarding sensitive information.

The U.S. stands at a crossroads, where the nurturing of global talent is not merely an option but a strategic imperative. Embracing international scientists and engineers is not only a testament to our commitment to excellence but also a catalyst for driving forward the frontiers of human knowledge and ingenuity. In the end, it is not about erecting barriers or shutting the door to international talent – it is about striking a harmonious chord between openness and vigilance, rather than a forced tradeoff between the two.

By embracing innovation in risk assessment and vetting processes, and thereby welcoming the contributions of international talent, the U.S. can continue to lead the world in scientific discovery, address the existing skill gaps, foster global collaboration and culture exchanges, while safeguarding its technological edge for generations to come and fortifying the country’s position as a leader in innovation.

Donald (Don) J. Blersch is Clearspeed’s SVP of Government Innovation. With multi-agency experience, including NASA, the National Oceanic and Atmospheric Administration (NOAA), Central Intelligence Agency (CIA), the Office of the Director of National Intelligence (ODNI), the National Reconnaissance Office (NRO), the Missile Defense Agency (MDA), and the U.S. Department of State’s Bureau of Diplomatic Security, Blersch led the implementation of technology innovation while advising the executive leadership bench on a wide range of security disciplines, enabling the department to meet vital national security responsibilities with a well-vetted and trusted workforce, hyperfocused on the protection of sensitive, classified information.

Published recently, the “Vision for the IC Information Environment: An Information Technology Roadmap” articulates the pressing need for transformation within the IC, emphasizing how the current strategic environment is vastly different from that of September 2001.

Today, we face adversaries ranging from peer nations to non-state actors, each seeking to challenge our national interests and security. This dynamic environment demands that our information technology infrastructure not only keep pace but also provide a strategic advantage.

The roadmap aims high and purposefully so. It outlines five key focus areas, each designed to fortify, assure, enable, enhance, and accelerate the mission through a comprehensive IT strategy. These areas include:

— Fortify the Mission with a Reliable and Resilient Digital Foundation.

— Assure the Mission with Robust Cybersecurity.

— Enable the Mission with Modern Practices and Partnerships.

— Enhance the Mission with Data-Centricity.

— Accelerate the Mission with Advanced Technologies and Workforce Readiness.

One of the most exciting aspects of this roadmap is Focus Area 4: Enhance the Mission with Data-Centricity. This section highlights the importance of managing and securely using data effectively to expedite mission outcomes and maximize intelligence value. Of particular note, it stresses three main objectives:

Realizing End-to-End Data Management: To achieve data-centricity at scale, the IC must govern and manage data cohesively, at every point of the data lifecycle. This involves comprehensive data management planning, which aligns complex data lifecycle management activities with critical mission architectures. Whether you’re gathering sensor data or video footage in a remote location or extracting insights from that data in an air-gapped facility, such plans will increase the adoption of IC Data Services and applied advanced analytics and AI.

Implementing a Data-Centric Architecture: Valuing data as a strategic tool requires establishing common data standards, models, services, and enterprise digital policies so that everyone is handling mission-critical information in a cohesive way, aligned with the appropriate protection and sharing of each data object. This will facilitate a decentralized data ecosystem, enabling seamless data exchanges and fostering advanced AI/Machine Learning capabilities. Ultimately, this architecture will streamline data sharing and collaboration within the IC and with external partners.

Transitioning Sensitive Data Silos to Data-Centric Enclaves: Sensitive data within the IC is often siloed, making it difficult for analysts to access and utilize information across different enclaves. By transitioning to data-centric enclaves, the IC can break down these barriers, allowing authorized users to discover and access relevant data more efficiently and effectively.

As a whole, this focus area encapsulates the IC’s shift from traditional processes to a data-centric approach. The report details, “Timely, accurate, well-informed insight is key to delivering enhanced mission outcomes. The IC must shift from an organization- and system-centric paradigm to one that is data-centric; preserves organizational equities, authorities, and rights; implements legal/compliance frameworks; and enforces security.”

Centering the data changes everything

Let’s give credit where it’s due; this vision for data-centricity is transformative. Aiming to shift the IC from a paradigm of isolated data silos to an integrated, agile, and efficient data environment, this transition is crucial for enabling analysts to derive actionable insights swiftly and accurately, thereby enhancing the overall intelligence process. By implementing a data-centric architecture, the IC can ensure that data is not just a byproduct of operations, but a core asset that drives decision-making and operational effectiveness.

One of the most critical aspects of this transformation is bringing data-centric security down to the data object level using technologies like the ODNI’s Trusted Data Format and the recently approved Zero Trust Data Format by the CCEB. By doing so, the IC can ensure that data remains secure and can be effectively shared and utilized across various platforms and with international partners and allies. This granular level of security is essential for maintaining the integrity and confidentiality of sensitive information while promoting interoperability and collaboration.

The “Vision for the IC Information Environment: An Information Technology Roadmap” provides a robust framework for modernizing the IC’s IT infrastructure. By prioritizing data-centricity specifically, the IC can unlock the full potential of its data assets, enabling more informed decision-making and more effective operations, which will ultimately prove to be critical for maintaining a strategic edge in a data-driven world and ensuring the United States remains protected.

The roadmap’s vision is ambitious, but with commitment and collaboration, it is well within reach. Together, we have the opportunity, talent, and determination to close IT gaps and open new mission horizons, securing our nation’s future.

Shannon Vaughn is general manager of federal at Virtru, a data security company.

Mission requirements and cyber threats change quickly. Staying current requires agile development practices that continuously integrate and deliver high-quality software with reduced risk. Security authorizations should be equally nimble, but repeatedly seeking an Authority to Operate, or ATO, is notoriously time-consuming. Waiting for an ATO and working through assessments is often the longest step in deploying software. These delays can have significant consequences, especially on the battlefield.

There are better ways to manage the risk of information systems. DoD officials recently released the DevSecOps Continuous Authorization Implementation Guide, which maps out the principles of the continuous Authority to Operate, or cATO, model. After a system achieves its initial authorization, properly implementing cATO a la ongoing authorization is a fundamental step in the department’s vision to build a faster, more secure development environment and achieve software supremacy.

What is cATO?

Getting a traditional ATO requires a point-in-time check of security controls that can drag on for months. The exercise repeats when new features roll out or the authorization expires. Meanwhile, cyber adversaries continue to unveil novel threats.

cATO is an ongoing authorization for continuous delivery after achieving the initial authorization. It allows an organization to build and release new system capabilities if it can continuously monitor them against the approved security controls. To achieve cATO, DoD identifies three criteria organizations must meet:

— Continuous monitoring of security controls.

— Active cyber defense measures.

— The adoption of DevSecOps practices.

Shifting from periodic reviews to constant monitoring avoids drifting out of compliance and creates a more robust cybersecurity posture. This isn’t just theory; it’s a proven concept. As co-founder of the U.S. Air Force’s Kessel Run, we originally designed cATO as a specified approach to ongoing authorization for continuous delivery, without cutting any corners.

We applied DecSecOps principles to meet the National Institute of Standards and Technology’s Risk Management Framework, or RMF, requirements. In April 2018, DoD officials approved cATO for Kessel Run’s systems. The ongoing authorization granted authorization at the time of release and removed it as the bottleneck for lead time and deployment frequency. High performing DevOps organizations employing this approach often achieve lead time and deployment frequency that is measured in hours, which is considered “elite” in The State of DevOps Report.

Preparing teams for ongoing authorization

cATO is not a waiver or a shortcut to compliance with the RMF. Instead, the method tackles requirements at every step of the software development lifecycle to reduce risk. When done correctly, adopting this ongoing authorization strategy is still about authorizing the system, not “authorizing the people and the process” or employing “cATO pipelines.” That said, the inputs that result in secure and authorized outputs for a trustworthy and transparent environment are the right people, processes, and technologies.

To start, leaders must foster a culture of security awareness across the organization by eliminating bureaucratic barriers and recruiting the right technical talent. To shift left on anything, we have to make space for it. For example, cutting low-value work out of developer schedules or removing backlogs gives them time to work on security with their regular tasks.

Programs should have at least one dedicated independent technical assessor for their teams, who work for their Security Controls Assessor and Authorizing Official, to help get the software to production more efficiently. And because security doesn’t happen in a silo, build open lines of communication between security, development, and operations teams to synchronize the latest mission requirements.

Building a security baseline

A critical technical component of continuous authorization is maximizing common control inheritance. The RMF allows applications deployed on top of cloud and platform environments to inherit the underlying controls. Organizations like software factories or service-level programs with thousands of apps can quickly see time and cost savings by architecting for these authorized common controls providers.

The DoD has the opportunity to drive greater efficiency by providing centralized, inheritable security baselines and cloud services for department-wide use, or at a minimum, mission-wide use. Enterprise-wide common controls would enhance the entire department’s cyber posture and support faster software delivery for every service and component.

Building a transparent system

Successful cATO implementations require organizations to deeply understand a system and the cascading effects of any changes to it. Organizations must focus on transparency and traceability, embracing an everything-as-code mindset to ensure controls remain within the approved configurations.

Processes require digitization and, when feasible, automation, including documentation and evidence assessment. The most commonly used governance, risk and compliance platforms weren’t built for ongoing authorizations; systems with the ability to handle modular evidence packages may need to replace antiquated platforms. Give the team’s independent technical assessors access to logs, code repositories, and dashboards to monitor controls and communicate changes to authorizing officials as necessary.

One misconception is that pipelines are a magic wand for cATO. While they are an essential tool, there is much more required for ongoing authorization. A smart way to use pipelines is to incorporate scans that evaluate software against service-level agreements and block it from the production environment if issues remain.

At the end of the day, an organization pursuing cATO must produce a secure system and deliver new capabilities within an acceptable risk profile. Ongoing authorizations are the most effective way for DoD to streamline software delivery and ensure a future where fewer bad things happen because of bad software.

Bryon Kroger is the CEO and founder at Rise8 and co-founder of the U.S. Air Force’s Kessel Run, the Department of Defense’s first software factory, where he pioneered cATO.

At the TechNet Cyber conference presented by the Armed Forces Communications & Electronics Association International in Baltimore, leaders from the Pentagon discussed capabilities for public, private and hybrid networks. Officials acknowledged there’s a natural appetite for the most exclusive, secure networks in the national security space. And sometimes there is no wireless network infrastructure available in remote warfighting locations far from population centers.

So as the services determine appetite for private networks that offer more control over information sharing, the DoD is guiding them to use open radio access networks, or ORAN, said Juan Ramírez, the director of the 5G Cross-Functional Team at DoD.

“I think what industry wants to hear is there’s actually going to be requirements that come out that ... necessitate an open RAN architecture,” he said at the conference. “So you’ll start to see those come out in the next couple of years, pending budgets.”

New 5G challenge to incentivize open architecture solutions

Certainly, private networks aren’t the only way to go. In fact, sometimes that’s not the best solution, said Lt. Col. Benjamin Pimentel, who leads the Camp Pendleton 5G experiment for Expeditionary Advanced Base Operations.

“Think about when we deploy in a theater,” he said. “A lot of countries that we go to or locations that we go to already have roads and bridges, and it’d be silly to then go and build my own private roads and my own private bridges separate and apart from that to get where I need to go. If those roads and bridges meet my transportation requirement, and they’re not going to fall under the weight of a ‘seven ton,’ we’re going to drive over it.”

But, somewhere like the first island chain, for example, may not have adequate coverage to put up sensors for long-range precision fires. In cases like those, he said, it would make more sense for units to bring private capabilities.

Given China’s rising aggression and U.S. efforts to deter it in the Taiwan Strait, what Pimentel described is the type of environment where current threats seem to colocate.

Winning the 5G arms race requires full funding from Congress

Regardless, to ensure there is connectivity wherever the need is, Ramirez said the department is looking at ORANs, which allow multiple vendors to operate as one network and provide more flexibility to scale.

ORAN is something the DoD has been pushing aggressively to explore as it simultaneously journeys toward more standard 5G adoption on military installations and “smart bases.”

Ramirez said the department is hopeful it will get additional support from Congress via future defense spending bills that will backup forthcoming requirements with dollars.

The Pentagon’s 2024 budget requested $143 billion in research, developing and testing of emerging technologies including 5G, but also artificial intelligence. Much of the spending in recent years has been for prototyping, and though the Office of the Secretary of Defense has the lion’s share, Ramirez said his office is offering direction to the services for them to budget for 5G.

“We think that pursuing ideas like [ORAN] advanced by the ORAN Alliance all the way to fully open-source code ... provides the feature velocity the DoD needs and the ability to innovate quickly,” said Pimentel.

Steve Wallace, the agency’s chief technology officer, said at the 2024 TechNet Cyber conference presented by the Armed Forces Communications & Electronics Association International that this is a way of getting at a common problem in the Defense Department: a focus on emerging technology without a clear understanding of the problem its intended to solve.

“How does the department understand what you all can bring forward?” he said to a crowd of industry leaders and other cyber professionals in Baltimore June 26. “And then at the same time, how do you understand what the heck we actually need? There’s always that friction there.”

It’s not just an attempt to speed up the acquisitions process as the Pentagon is in a race for digital dominance against China and other nation-state hackers. So much of the conversation around cybersecurity in national defense is around pacing, but with industry constantly coming to market with new tools, there’s a need by government to be a wary purchaser.

These problem statements are a potential way for the Defense Department buy the tools, not just the shiniest ones.

“I think there is that risk that we get excited by new things — which are exciting — and we want to play with them and explore and see what’s possible,” said Scarlett Swerdlow, a senior technical strategist in the DISA’s Emerging Technology Directorate. “But at the end of the day, we have to make sure we’re solving a real problem that a real person has.”

The government often tries to emulate industry. But startups in Silicon Valley aren’t tied to a congressional budget cycle. And they have the room, and often the in-house expertise, to fail fast and pivot often. And though the Defense Department is at the mercy of a constantly changing threat landscape, DISA officials said at the conference that it can be enough for DoD to allow industry to do what it does best and be an evaluator when it comes time to settle on a solution.

“It is our ability to interface with industry, but knowing that the dollars that mature the technology are industry dollars, and not tax dollars, and then understanding where to apply some tactical patience as industry develops tech and [then we] insert ourselves,” said Army Maj. David Courter, chief of combatant command plan integration with the J-5. “I think that’s much different than us writing an initial capabilities document and saying, ‘I need you to build this cool tool.’”

Cautionary tale

One cautionary tale came to mind: the Joint Regional Security Stacks, an ambitious plan to massively consolidate the DoD’s sprawling IT infrastructure that set to be wound down in 2021 following reports of cost overruns and unresolved complexities.

At inception, it was supposed to be a gamechanger for the department, but a 2019 inspector general audit revealed it ultimately wasn’t meeting end users’ needs.

“The whole notion behind JRSS was best of breed for every component in the doggone stack,” Wallace said. “We are going to have the very best of everything. And then we are going to attempt to integrate or interoperate between all these components. Didn’t go well.”

The other issue is ensuring that DoD can verify for itself whether a tool actually does what it claims to do when its adapted for military or defense purposes. That comes into play when the department thinks about how buying one system must be able to operate with existing ones and those to come.

“[That’s] another reason to add that in-house talent that can ... test some of those claims that products make,” said Swerdlow.

At the TechNet Cyber conference presented by the Armed Forces Communications & Electronics Association International in Baltimore on June 25, Resnick said his office received pushback on its aggressive goals for meeting zero-trust and saw a need to codify its role in the governmentwide race toward network security.

The memo will give Resnick’s office “bite” and an “ability to command and control zero trust in the Department of Defense,” he said.

At the inception of the portfolio office, which was stood up in 2022, Resnick said he was told his office didn’t have Title 10 authority to set zero-trust requirements or priorities. Military officials said they had to hear orders from their commands. In a nutshell, Title 10 is what gives DoD power to make decisions. It assigns the defense secretary “authority, direction and control” over all subordinate agencies and commands.

When the zero-trust office came on the scene, it was new, and Resnick is now working to ensure his team has the ability to act as subject-matter experts on zero trust.

“You will see language in it that makes it very clear what the portfolio office’s capabilities are and the power that we have over telling the department just how to do things in terms of policy deadlines,” he said. “But it also clearly outlines ... the military departments’ [and] the agencies’ roles and responsibilities for zero trust.”

Resnick did not give a date for the memo but said it was imminent.

In the next couple of months, Resnick is also aiming to clarify gray areas of shared responsibility of zero-trust, since both civilian and military agencies are tasked with implementing it.

Directive-type memos tend to have an expiration date, but they can be converted into instructions that establish policy.

That means he knows — more or less — what he’s got, and what he needs. And what he needs, is people.

“[In the services], we’re not having a problem recruiting cyber talent,” he said at the 2024 TechNet Cyber conference presented by the Armed Forces Communications & Electronics Association International in Baltimore. “Our retention is where we’re having a challenge.”

Gorak, the principal director for resources and analysis for the Pentagon’s Chief Information Officer, said DoD has 27,000 vacancies, down from 30,000 last year. The total cyber defense workforce is comprised of roughly 225,000 service members, civilians and contractors.

Gorak said there is interest in working for the government or serve in the military. The public sector has always been able to emphasize a unique mission and a stable career. While that has been — and is — a selling point, leaders said they also need to use authorities to pay competitively and offer training. Otherwise, government will lose workers to the private sector or other agencies who are also competing for this great need.

Messaging is a part of the problem, Gorak said, especially in the search for early career talent.

“I talk to students and I tell them, ‘You can join the Department of Defense as a civilian,’” Gorak said. “They look at me like I’m cross-eyed. [They say], ‘I had no idea that we have 900,000 civilians in the DoD.’”

There is some headway being made, with the department announcing on June 12 its new Cyber Academic Engagement Office, led by Gorak. The goal is to have a dedicated office for coordinating and funding academic engagement programs for the department.

The other aspect of solving the people problem is organizing all the different pay authorities, work roles, skill requirements and types of hires across the Defense Department.

Take, for example, the basic IT job in the government, called a “2210.” Gorak said there are 54,022 employees with this position description performing 72 different work roles, illustrating how one occupation can manifest into different work depending on the office.

That’s part of what makes classification difficult, especially as technology constantly evolves to require new skills or training. The DoD Cyber Framework originally had 54 distinct work rules; now it has 72.

So, recruiters need to understand the actual work being done in order to look for it in the job market, classify it correctly, and then compensate it competitively, Gorak said.

“If you’re a GS-12 and you’re an expert, you should get paid a lot more than a GS-12 who’s at a basic level,” he added. “Pay for performance. Pay for what your actual expertise is. That’s the system we have to get.”

DoD has a number of authorities available that allow it to pay recruitment and retention bonuses, set higher starting salaries and reward high achievers. The department has direct hire authority to circumvent the USAJobs application process. The DoD Cyber Excepted Service offers a market-based pay structure that can offer as much as a 40% salary increase, Gorak said.

So far, about 15,000 positions are eligible for CES, but only 9,000 of them have actually been converted. Gorak’s team has worked to make some improvements to encourage conversion, including allowing individuals to convert instead of requiring that of an entire organization and letting the services delegate that process in-house instead of relying on one office process all conversion packets.

The only combatant command that is fully eligible for CES is Cybercom. Army Cyber Command is the second biggest.

Still, part of the reason available flexibilities haven’t been used is they’re expensive. In other cases, HR personnel don’t know they exist or aren’t trained on how to use them. That’s also why time-to-hire even for positions that should be fast-tracked remains lengthy.

Agencies rarely use special pay authorities, GAO finds

On the civilian side, hiring timelines hardly improved from 2022 to 2023, and 2210 IT workers remain among the slowest to onboard.

In the meantime, the department — alongside other civilian agencies — has recognized that young people can attain digital skills without a college degree. The government is coming around to that trend, but it’s still a new way of thinking for some.

“I contend to you that there are people out there today ... working in their bedroom upstairs who are outstanding cyber professionals who can do this job, but because they don’t have the experience and they don’t have the degree and they don’t have whatever certs we think are hot right now, we don’t hire them,” he said. “I think that is a mistake by the federal government, and we have to get past it.”

“So, imagine the [Defense Department] being a really big ship, with the smallest rudder you ever saw in your life trying to try to turn that ship,” he said at the 2024 TechNet Cyber conference presented by the Armed Forces Communications & Electronics Association International on Tuesday. “That’s what the Department of Defense is.”

He doesn’t mean it derogatorily. He said it as more a statement of fact than a judgment. And, to the department’s credit, with help from outgoing Chief Information Officer John Sherman and a great deal of documents to keep these offices on the same page, they’ve made progress on the “gargantuan challenge” of getting workforce culture to support cyber security imperatives. But there’s still some work to be done.

Much of the discussion Resnick led at the event in Baltimore centered around the complex technology undergirding zero-trust, which both the military services and civilian agencies are tasked with implementing to some effect in the next few years. The DoD offices has until 2027 to hit almost a hundred different targets for zero trust. Meanwhile, the department’s 2025 budget requested roughly $977 million for zero-trust transition, C4ISRNET previously reported.

Pentagon makes progress on Zero Trust, but next steps will be critical

Zero-trust is, as Resnick said, just that: nothing is trusted, and as a result, there are behind-the-scenes tests that verify and validate access with, ideally, minimal intrusion on user experience. It’s an access control strategy, but it’s also analytics, automation and data.

Zero-trust is very specific but it’s also seemingly ubiquitous. The White House, even, has made cyber defenses a priority of every federal agency.

“Really, zero-trust is all of us,” said Leslie Beavers, the principal deputy CIO at the Defense Department, on Tuesday.

However, for it to work, zero-trust needs to be defined. And all the players need to be one the same page. That’s something that has happened only recently, said Resnick.

“Industry was all over the map with zero trust,” he said. “Everybody had a ZT solution. Everybody was approaching government employees and purchasers, and people were very, very, very confused in the government.”

So, Resnick’s office put structure around zero-trust. The goal, first and foremost, was to stop adversaries’ exploitation of DoD data, he said. Then, they got to work on a number of foundational documents to lay out goals and plans for achieving them, including the DoD Zero Trust Strategy and Roadmap and the “Overlays” plan.

It was an effort to synchronize the theory and actual approach of zero-trust, but inadvertently, it also influenced other countries’ zero-trust plans and reset industry’s understanding of what DoD needs, Resnick said.

“Without a doubt, I now have conversations with industry that are completely aligned to the DoD zero trust approach,” he said. “We didn’t have this two years ago. It’s a pleasure to have a conversation now, because now we’re all on the same page.”

Now that the level setting has been done, there remains the issue of change management.

The federal workforce, for one, skews older than the private sector. Data from 2022 less than 6% of government IT employees are under the age of 30, and 30% are 55 or older. While officials said the Defense Department often has more reliable and robust funding to go after new technology, federal civilian agencies may not, creating an environment where government is at various stages of adoption, and not always willing to embrace change. The pervasiveness of legacy systems also makes change hard, especially when the skills needed versus the skills available vary.

Many software makers will miss Biden’s cybersecurity deadline today

Resnick said he has seen the spirit of innovation in leadership, but it’s the mid-tier of the workforce that sometimes pushes back — the “permafrost,” as he calls it.

“They feel threatened because they do the old style of cybersecurity,” he said. “I did it myself; I totally understand. But ... if they haven’t learned now, then [they’re] never going to learn. And so I truly believe it’s a generational thing. We’re going to have to wait them out until they retire out.”

That’s not to say training isn’t happening. Resnick said they worked with Defense Acquisition University to get access for CAC-holders to cyber classes that vary in length and intensity.

He said he sees a gap in industry training for zero-trust and urged members to populate that space.

On June 20, Deputy Defense Secretary Kathleen Hicks approved the strategy, and the department announced it on June 25, coinciding with the 2024 TechNet Cyber conference presented by the Armed Forces Communications & Electronics Association International in Baltimore.

“Fulcrum describes ‘what’ the DoD must achieve with respect to advancing IT for the warfighter and ‘why’ it matters,” according to a department statement.

The strategy offers specifics on broad, sweeping goals by the Pentagon to communicate faster and more securely with warfighters and allies. To date, the government has issued a number of strategic plans and frameworks to double down on cybersecurity and accelerate the military’s development of tools like AI, but this plan takes that a step further by prioritizing user experience and scalable, agile investments.

“It’s called ‘fulcrum’ because it sits at the nexus between our national security strategy, our strategic management plans — our really ‘big thinking’ strategies,” said Leslie Beavers, principal deputy chief information officer, on Tuesday.

With so many tools coming to market from different vendors and small businesses also hoping to break in, the strategy gives leaders guideposts for how to assess what tools and internal resources are needed.

Critically, it also devotes a category to developing the workforce, specifically by broadening the DoD Cyber Workforce Framework to focus more intently on roles for data, AI and software engineering.

The DoD has long said this is an established need.

“There is a recognized shortage of skilled cyber personnel that could potentially impact operational readiness across the Department and put national security at risk,” according to the department’s 2023 Cyber Workforce Strategy. “Despite the vast expansion of cyber educational and experiential opportunities, the nation’s cyber talent pipeline remains limited.”

As in the private sector, government, too, is struggling with too few tech practitioners that make new cybersecurity practices difficult to implement. At the same time, much of the technical guidance handed down by experts in tech shops is written for the actual programmists, not senior executives, so there needs to be an available reserve of workers, DoD officials said at the conference.

“Leadership is a force multiplier and to outpace [adversaries] we have to maximize the talent from our broad array of partners, and recruit and retain our own talent,” said Gen. Timothy D. Haugh, commander of U.S. Cyber Command and director of the National Security Agency, at the conference.

Finally, the new strategy also seeks to streamline governance and enhance use of data to backup decision-making and identify cost savings to deliver joint warfighting capabilities faster amid high-tempo, multi-domain operations.

“We must challenge legacy approaches and move move toward rapid innovation for them,” said Haugh. “We cannot succeed when our existing processes move slower than the rate of innovation change.”

That probability is what senior-level military, government and industry leaders will be discussing at this year’s flagship TechNet Cyber conference presented by the Armed Forces Communications & Electronics Association International in Baltimore, Maryland.

This year’s theme of the three-day event beginning Tuesday is about “outpacing the threat,” and innovators in the defense technology space will discuss how their tools fit within the military’s goals to align their defenses with the nature of cyber warfare, adapt to rapidly changing environments, and accelerate ahead of global adversaries. All the topics du jour will be on the table, including artificial intelligence, large language models, contested logistics and data strategy.

Knowing future battles will transcend borders and go beyond just physical assaults on adversaries, experts in the U.S. government and industry know the tools of the future must be secure. Knowledge in itself will become an edge in battle. As nations like China seek to advance their use of artificial intelligence for military gain, so, too, are the U.S. and its allies working to understand and leverage this technology in defense of its infrastructure.

Attendees will hear from top officials from the Defense Information Systems Agency, the Defense Innovation Unit, the Joint Force Headquarters, federal chief information officers and chief technology officers, and the service’s cyber commands on the range of multidimensional threats facing their warfighters and the nation.

Registration for interested parties is open here. Here are a few highlights to note.

A keynote address kicks off the event on June 25, during which attendees will hear from Air Force Gen. Timothy Haugh, commander of U.S. Cyber Command, and AFCEA President and retired Lt. Gen. Susan Lawrence. The two will open the conversation on ensuring resiliency in the defense industrial base.

Other sessions that morning will highlight progress being made on the Defense Department’s sprint toward achieving “target level” zero trust by 2027 with insights from within the Pentagon’s information office itself.

Leaders from the Army will also discuss the role of generative AI and knowledge management in warfare, and several branch officials will come together to talk about the need for establishing an Office of the Assistant Secretary of Defense for Cyber Policy.

The showroom floor will also be open to display the latest technology in cybersecurity from dozens of companies.

But the tools cannot be discussed without also identifying a workforce to use them. An afternoon session on Tuesday will offer a status update on the DoD Cyber Workforce Framework.

For highlights of the conference, follow along at c4isrnet.com.

The Joint Fires Network is a U.S. Indo-Pacific Command initiative to improve coordination between commanders and network any sensor from any platform to feed targeting guidance to any weapon system. Valiant Shield is focused on integrating forces across domains with thousands of U.S. military personnel participating along with 200 ships, aircraft and ground vehicles.

The JFN demonstration during Valiant Shield “integrated technologies with third-party capabilities as part of an enterprise architecture,” Lockheed said in a June 20 statement.

“The exercise showcased the seamless integration of Lockheed Martin’s advanced command and control functions, employing Operational Planning to coordinate real-time decision-making across the theater of operations, with all the Services and operational domains,” it said. “This approach enhanced the agility and responsiveness of joint operations, using live real-time data, and producing joint tasking orders in an operationally relevant environment.”

Lockheed’s digital C2 system combines its fielded battle management, command and control software with other technologies from industry, the company notes.

To participate in Valiant Shield, the company said it made improvements to its C2 Planning Software that included “streamlining operator workflows by making machine interactions intuitive, enabling real-time monitoring, and facilitating seamless integration with other technologies.”

The company also trained operators on high-fidelity mission simulators prior to the exercise to learn how to use the C2 planning system.

Lockheed has now participated in seven exercises to continue to work on refining its digital C2 capabilities, it said.

For example, the company participated in Northern Edge, an experiment in the Indo-Pacific theater that demonstrated synchronization of technology that could feed into the Pentagon’s connect-everything-everywhere campaign called Joint All-Domain Command and Control, or JADC2.

The company plans to continue to bring technology to exercises and demonstrations in the Indo-Pacific to help build joint, networked capability.

Researchers asked a group of students, none of whom had specialized training in the life sciences, to use AI tools, such as OpenAI’s ChatGPT-4, to develop a plan for how to start a pandemic. In just an hour, participants learned how to procure and synthesize deadly pathogens like smallpox in ways that evade existing biosecurity systems.

AI cannot yet manufacture a national security crisis. As Jason Matheny at Rand reiterates, while biological know-how is becoming more widely accessible through AI, it’s not currently at a level that would substitute for a lack of biological research training. But as biotechnology becomes both more advanced -- think of Google DeepMind’s AlphaFold, which uses AI to predict how molecular structures will interact -- policymakers are understandably worried that it’ll be increasingly easy to create a bioweapon. So they’re starting to take action to regulate the emerging AI industry.

Their efforts are well-intentioned. But it’s critical that policymakers avoid focusing too narrowly on catastrophic risk and inadvertently hamstring the creation of positive AI tools that we need to tackle future crises. We should aim to strike a balance.

AI tools have enormous positive potential. For instance, AI technologies like AlphaFold and RFdiffusion have already made large strides in designing novel proteins that could be used for medical purposes. The same sort of technologies can also be used for evil, of course.

In a study published last year in the journal Nature Machine Intelligence, researchers demonstrated how the AI MegaSyn could generate 40,000 potential bioweapon chemicals in just six hours. Researchers asked the AI to identify molecules that are similar to VX, a highly lethal nerve agent. In some cases, MegaSyn devised compounds that were even more toxic.

It’s possible that bad actors could one day use such tools to engineer new pathogens far more contagious and deadly than any occurring in nature. Once a potential bioweapon is identified -- maybe with the help of AI -- a malicious actor could order a custom strand of DNA from a commercial provider, who would manufacture synthetic DNA in a lab and return it via mail. As experts at the Center for Security and Emerging Technology at Georgetown University has posited, perhaps that strand of genetic material “codes for a toxin or a gene that makes a pathogen more dangerous.

It’s even possible that a terrorist could evade detection by ordering small pieces of a dangerous genetic sequence, and then assemble a bioweapon from the component parts. Scientists frequently order synthesized DNA for projects like cancer and infectious disease research. But not all synthetic DNA providers screen orders or verify their customers.

Closing such loopholes will help, but we can’t regulate away all of the risk. It’d be wiser to beef up our defenses by investing in AI-enabled early-detection systems.

Today, the Centers for Disease Control and Prevention’s Traveler-based Genomic Surveillance program partners with airports nationwide to gather and analyze wastewater and nasal swab samples to catch pathogens as they enter our borders. Other systems are in place for tracking particular pathogens within cities and communities. But existing detection systems are likely not equipped for novel agents designed with AI’s help.

The U.S. intelligence community is already investing in AI-powered capabilities to defend against next-generation threats. IARPA’s FELIX program, in partnership with private biotech firms, yielded first-in-class AI that can distinguish genetically engineered threats from naturally-occurring ones, and identify what has been changed and how.,A similar technology could be used for DNA synthesis screening -- with AI, we could employ algorithms that predict how novel combinations of genetic sequences might function.

We have barely begun to tap the potential of AI to detect and protect against biological threats. In the case of a novel infectious disease, these systems have the power to determine how and when a pathogen has mutated. That can enable the speedy development of vaccines and treatments specifically tailored to new variants. AI can also help predict how a pathogen is likely to spread.For these technologies to play their vital role, leaders in Washington and around the world must take steps to build up our AI defenses. The best way to counter “bad AI” isn’t “no AI” -- it’s “good AI.”

Using AI to its full potential to protect against deadly pandemics and biological warfare demands an aggressive policy effort. It’s time for policymakers to adapt. With adequate foresight and resources, we can get ahead of this new class of threats.

Andrew Makridis is the former Chief Operating Officer of the CIA, the number-three position at the agency. Prior to his retirement from the CIA in 2022, he spent nearly four decades working in national security.

Gabe Camarillo, the Army under secretary, who previewed the effort last fall, signed the directive in May, Swanson said, which enables the Army to grow its digital engineering capability across the force using current development programs to pave the way while promoting increased interoperability and developing a capable and experienced workforce.

Already, the defense industry is using digital engineering, including digital twins, to develop future vertical lift aircraft, combat vehicles and even hypersonic weapons.

“We view digital engineering as the linchpin of all the digital transformation efforts that we have ongoing today,” Swanson said in a June 18 press briefing at the Pentagon.

“Data, the way that software communicates, the output of that software, and how we inform our soldiers and commanders to make real time decisions, [artificial intelligence] [are] pivotal, critical,” she said. “Leveraging that data, leveraging those software capabilities; digital engineering is really how it all comes together,”

The directive policy has four tenets. The first is to establish digital engineering focus areas, the second is to promote interoperability and implementation across the force, the third is to establish and monitor programs identified as “pathfinders” and the fourth is to develop talent and expertise.

The Army has identified three focus areas for the strategy: Ground vehicles; aviation; and sensors.

The aviation focus area takes many lessons learned from industry which has been using digital engineering for aircraft design heavily. The Future Long-Range Assault Aircraft, one of the DE pathfinder programs, was designed from the beginning in a digital environment and has served as a prime example for how the service plans to develop major weapon systems digitally going forward. FLRAA was built and flown in record time because it was designed digitally.

The ground vehicle focus area will draw from the automotive industry, according to the directive, which, “leverages DE heavily in designing cars and trucks today and has gained tremendous efficiencies and increased quality as a result.”

The Army is already using digital engineering in its XM30 Mechanized Infantry Combat Vehicle competitive design effort from the very beginning and is therefore one of the service’s pathfinder programs to “illustrate DE’s potential contributions, highlight existing policies and processes that may hinder a program’s ability to implement DE and identify how to advance DE adoption in various contexts,” the directive states.

XM30 program challenges

The challenges programs face as they begin to implement digital engineering as part of the design and development process were recently highlighted in the XM30 program. In the Government Accountability Office’s weapon systems annual assessment, officials found “it took longer to release the request for proposals due to a lack of experience with digital engineering while directing contractors to use specific software design approaches.”

Additionally, the Army “lacked precedent for scoping a digital open architecture project, which delayed the Source Selection and Evaluation Board process,” the GAO found.

XM30 was “really first in terms of putting [DE] out in an RFP that way,” Swanson said. “There was learning to be done and so I think that’s why it took a little bit longer, but I think sometimes you do have to go a little slow to go fast because I think they will absolutely benefit and the return on investment is there.”

One of the challenges that still exists, and that the XM30 program is working through, is related “to the fact that we don’t have interoperable digital engineering tools in industry,” Swanson said. “It’s a big problem.”

The Army “is not going to direct everybody to use a certain tool,” she said. “The lack of ability to cleanly and easily share data between all those tools causes challenges and that’s not just inherent to what we’re doing. That’s across the industry.”

The industry is planning to adopt new standards for digital engineering tools to increase interoperability to solve that challenge, Swanson said. The goal to establish those standards is targeted for the end of the summer, she added.

Other pathfinder programs the Army is using to guide its digital engineering transformation are the Integrated Fires Mission Command, the Joint Targeting Integrated Command and Control Suite, the M113 Armored Personnel Carrier and the Program Executive Office Aviation Logistics Data Analysis Lab for UH-60 Black Hawk, CH-47 Chinook and AH-64 Apache helicopters.

Selecting some older programs as pathfinders, like the M113, may come as a surprise, but according to Swanson, the M113 has a digital twin

“There is a lot of reuse of parts between the M113 and our newer vehicles and so being able to take that digital twin, leverage it and evolve, it is great,” she said.

One of the bigger challenges as the Army seeks to execute the directive will be to extend digital engineering capabilities beyond the development realm.

“We want to build those digital threads from requirements all the way to sustainment,” Swanson said. “That requires all of our partners within the Army that help us acquire these technologies and these programs and so that’s really what this directive is about is being able to set the stage to enable everybody else to do it.”

As CJADC2 evolves, so must the DoD’s edge infrastructure. The organization must ensure that the infrastructure it uses to deliver accurate intelligence in all situations, regardless of the environment or the allies involved. That infrastructure must be resilient in harsh and remote environments and dynamically composable so that intelligence is delivered quickly and without fail as operations and objectives change.

AI and automation can help the DoD achieve both of these objectives. But first, it must overcome the limitations of legacy hardware that make it challenging to get data to warfighters.

Breaking out of the ‘boxology’

Proprietary and siloed platforms don’t meet the needs of CJADC2′s goals of a system to “sense, make sense, and act’' quickly on information derived from AI, automation, machine learning and predictive analytics.

Fortunately, the DoD is standardizing hardware through open architecture approaches like the Army’s C5ISR Modular Open Suite of Standards (CMOSS) and C5ISR Modular Form Factor (CMFF). This will allow the Army and other defense agencies to escape the proprietary “boxology” holding them back from being able to take full advantage of edge and AI.

Greater flexibility provides multiple benefits. Military branches can build more dynamic and resilient infrastructures that can be stood up and deployed quickly in every situation. Warfighters can receive real-time insights and gain a “decision advantage” over adversaries.

Building self-healing, composable networks

Operating in harsh environments, moving from one operation to another and encountering information sharing challenges between allies can all contribute to interrupted and degraded communications and intelligence gathering.

The DoD must build self-healing edge infrastructures to overcome these challenges. Networks need to be able to quickly and automatically recover and repair themselves in the event of an issue without the need for human intervention. AI and machine learning enable the network to detect and respond appropriately to some of the more common problems like latency, degradations and other performance factors, while automation gives the network the ability to immediately respond to these issues.

Edge networks must also be composable. Composability relies on virtualization and automation to dynamically recreate networking, compute and storage resources as needed. This gives soldiers the flexibility to connect to different assets, which is valuable when working across agencies and with various allies who might rely on unique network infrastructures.

Creating an advantage with open source

Much like the DoD is adopting open standards for its hardware, the agency is also actively implementing open source software through efforts like the Army’s open source intelligence (OSINT) strategy. The Army and the other military branches can support OSINT and similar efforts by overlaying their resilient and composable networks with open source software that allows for them to take full advantage of automation and AI at the edge.

Open source automation can be applied across different domains, use cases and types of infrastructure. Teams can easily create code to specify automation tasks and apply the same protocols across any edge environment, negating the impact of incompatible technologies. For example, a soldier working with multiple allies in a remote location could specify the steps the network should take to automatically reroute traffic in the event of insufficient bandwidth or capacity.

Meanwhile, open source containers enable teams to port applications, including those using AI, from one environment to another. Containers wrap all the components of an application, including the files necessary to run the application, in a very small and ephemeral package that allows for application portability. Powerful AI resources can be easily created and transported between missions and run on any standardized hardware.

Continuous maintenance for continuous intelligence

Ensuring these implementations are kept up-to-date will be critical to their success. Therefore, the DoD must depart from standard software maintenance cycles and embrace a state of continuous evolution. It has already shown a commitment to do that with the progress of programs like CJADC2.

That commitment must carry over to the edge so that warfighters can maintain high levels of accurate strategic intelligence.

Christopher Yates is Department of Defense and Army chief architect at Red Hat.

These weaknesses often arise due to the complexity of maintaining and updating legacy systems which often lack basic security controls, as well as the challenges of ensuring comprehensive security measures across expansive and interconnected IT enterprises. As artificial intelligence continues to advance, its use in the federal space is becoming more prevalent, leading agencies to increase their use of the technology as part of their cyber defenses.

However, recent research reveals that although 80 percent of cybersecurity decision-makers believe accelerating AI adoption is vital for their organization’s resilience against emerging threats, only 31 percent report that their organization currently utilizes AI for cybersecurity. Notably, 54 percent of leaders who have implemented AI say that it has helped to accelerate incident response times, highlighting AI’s potential as a powerful defensive tool.

AI serves as both a formidable defense mechanism for protecting sensitive data and a potent tool for cyber attackers. AI’s ability to continuously learn and improve from each interaction makes it an invaluable asset in defending against evolving threats. However, malicious actors also exploit AI to develop sophisticated cyberattacks, targeting vulnerabilities and bypassing traditional defenses with alarming precision.

Maximizing AI’s defensive capabilities With ZTS

To combat evolving threats and address vulnerabilities, AI and Zero Trust Segmentation offer a path forward. AI rapidly automates tasks, detects threats, and provides predictive analytics – analyzing vast amounts data in real-time to identify and mitigate anomalies quickly. ZTS complements AI by ensuring continuous verification of every access request within an enterprise, segmenting the applications with strict access controls and monitoring, thus limiting lateral movement by attackers and containing breaches.

AI’s defensive capabilities can be maximized when integrated with ZTS. Since ZTS involves continuously verifying and monitoring all user and device activities within a enterprise, no entity is trusted by default, even if it is already inside the enterprise. The integration of AI and ZTS means that even if an attacker manages to infiltrate the enterprise, their ability to move laterally and escalate privileges is severely limited.

While ZTS alone provides robust defenses by restricting access and enforcing strict verification protocols, the addition of AI enhances these capabilities by automating threat detection and response, identifying potential breaches in real time, and adapting to new attack vectors dynamically. Auto-labeling, for example, enhances AI’s effectiveness by streamlining data classification, reducing manual intervention, and allowing faster, more accurate anomaly detection. This leads to improved operational efficiency and heightened security as AI systems better recognize patterns, predict issues, and implement safeguards in real-time.

Together, AI and ZTS form a proactive, comprehensive defense strategy for critical infrastructure organizations, enhancing resilience against sophisticated cyber adversaries and helping organizations to stay one step ahead of attackers.

Pushing for responsible AI in critical infrastructure

Deploying AI across critical infrastructure organizations demands a strong commitment to ethics, focusing on transparency, fairness, and accountability. Transparency ensures AI systems are understandable and trustworthy. Fairness aims to prevent biases so that no one group is disadvantaged. Accountability requires organizations to take responsibility for AI outcomes, with protocols to address errors and mechanisms for stakeholders to raise concerns.

To deploy AI responsibly across critical infrastructures, organizations should adhere to several best practices. The Department of Homeland Security has ramped up its focus on AI with its new Artificial Intelligence Safety and Security Board, which offers recommendations for safely preventing and preparing for AI-related disruptions to critical services; addressing AI risk and threats; trainings, deployments, and usage of AI; responsibly leveraging AI while protecting individuals’ privacy, civil rights, and civil liberties. Proactive approaches like these are essential to stay ahead of adversaries exploiting AI for malicious purposes.

To effectively harness AI’s defensive capabilities and protect critical infrastructure, responsibly integrating AI with ZTS is essential. This integration creates a dynamic defense mechanism that is difficult for attackers to bypass. AI’s continuous monitoring and real-time threat analysis enhance the ability to swiftly identify and respond to threats, forming a robust cybersecurity posture.

Combining AI’s real-time data processing and predictive analytics with ZTS’ stringent access controls significantly boosts resilience against evolving cyber threats. This approach addresses current vulnerabilities and anticipates future challenges, ensuring the security of critical infrastructure in a complex threat landscape.

Gary Barlet is federal chief technology officer at Illumio.

The Joint Cyber Warfighting Architecture, or JCWA, was established in 2019 and has been slowly taking shape. The aim is to consolidate and standardize Cyber Command’s big-data tools that help forces share information and plan missions. The command previously relied on tools, personnel and infrastructure from the National Security Agency.

“I would say it’s moving forward, we are getting momentum,” Nguyen said. The command, through congressionally approved defense policy, has been able to establish a program executive office for the JCWA, for one.

The command and the Office of the Secretary of Defense’s Acquisition & Sustainment office is working to stand up the PEO, he said, and in 2023, the command obtained system engineering and integration authority over the JCWA.

“What that means is we now have the authority to define the interoperability standards between the different components to help better drive better integration and better interoperability between different systems,” Nguyen said.

The JCWA is currently made up of six components: A persistent cyber training environment and the Joint Common Access Platform (JCAP), which are both run by the Army; a Unified Platform to take in, analyze and pass data, and Joint Cyber Command and Control, both under Air Force purview; and portfolios of sensors and tools, managed by Cyber Command.

Next up, as part of the establishment of the PEO JCWA, the command is working to get more acquisition authority over the program management shops that belong to the services, according to Nguyen.

This would mean the command would be able to approve programs of record as well as acquisition and contracting strategies, he explained. “That will give us a much more holistic ability to move everybody forward singularly.”

Additionally, the command has been able to conduct analysis and gain understanding of the different components of the architecture and a better understanding of the capabilities that exist within JCWA. Through that analysis, several initiatives were born to reduce redundancies, Nguyen said.

For example, he said, the programs of record all have their own software factory where software development is conducted. The command is now working to combine some software factories as a result.

“By reducing software factories, one, there’ll be some cost efficiencies,” Nguyen said, “but more importantly if you think of SolarWinds, SolarWinds was an attack on the software factory, so this will ensure we have a much better ability to defend our supply chain and so on from a software development environment perspective.”

The SolarWinds was a cyberattack in 2019 that led to data breaches for at least 200 organizations worldwide. The attackers, believed to be backed by the Russian government, exploited software or credentials at Microsoft, SolarWinds and VMware.

In another effort to reduce redundancy, the command is looking to combine or develop a singular platform to host applications.

The platform would be government furnished equipment that the command would give to all program shops “and say, ‘Hey, this is a common platform, Kubernetes environment, that we’re going to define and you will just deliver your application as containers or as virtual machines onto this common platform,” Nguyen said.

Kubernetes is an automated workload and services management platform that works within a container system. It was originally developed by Google.

The platform, “allows more efficiencies in the applications and then also, importantly, with this common platform we’re able to deploy it in different environments. We can deploy it within the cloud, we can deploy it on an edge processing or our [joint cyber] hunt kit and so on with a common platform,” he said, “and then the variances will be based on the application sets that were delivered on top of that.”

John Sherman will leave the government gig to become dean of the Bush School of Government and Public Service at Texas A&M University.

Sherman, who served for three years as the intelligence community’s CIO before moving to the Pentagon post in 2021, “has been a steadfast advisor and an innovative leader who has helped the Department adopt and utilize modern information technology to keep our country safe,” Defense Secretary Lloyd Austin said in the announcement. “His technical expertise has proven invaluable in tackling a variety of digital challenges. His focus on mission readiness has ensured that each of the services is equipped with both the capabilities and the digital workforce necessary for modern warfighting.”

Under Sherman, the Defense Department refocused its approach to communications technology, spectrum management, cybersecurity, and positioning, navigation and timing policy. He told Congress last year that the U.S. must “regenerate” its electronic warfare capabilities after years of neglect to ensure dominance on the battlefield.

“As we get ready for China, we better be able to fight and dominate” the electromagnetic spectrum, he told the House Cyber, Information Technologies, and Innovation Subcommittee at a March 2023 hearing on defense in the digital era.

“As we’ve seen on the Ukrainian battlefield — all the dynamics with [electromagnetic spectrum operations], of how the Russians are trying to use it, and the Ukrainians are using it — we cannot be cut off on this, to be able to make sure we can conduct combat operations,” Sherman said.

Sherman was also a strong backer of cybersecurity practices known as zero trust, which he said could have prevented leaks including the 2022 disclosure of the classified reports by a 21-year-old member of the Massachusetts Air National Guard, if they had been fully instituted at the time.

“I am grateful for Mr. Sherman’s loyal service to the Department and to our Nation,” Austin said in the statement. “Our national security is stronger today because of his efforts.”

Sherman, who has also held senior positions in the CIA, the Office of the Director of National Intelligence and the National Geospatial-Intelligence Agency, will start in his new role Aug. 1, the university said in a statement.

He’s a distinguished military graduate of Texas A&M with a bachelor’s degree in history. While at the university, he was a Ross volunteer, which performs honor guard duties, and served as commander of the Corps of Cadets. He also earned a Master of Public Administration from the University of Houston.

After graduating from Texas A&M, Sherman was an air defense officer in the U.S. Army’s 24th Infantry Division.

White hat hacking, sometimes described as ethical hacking, generally refers to security researchers and cybersecurity firms going into company and government networks to probe for vulnerabilities. It’s a widespread practice in the U.S. and elsewhere to ultimately better protect targets.

Alongside water system attacks, the Russian war on Ukraine and sanctions on Russia’s technology sector, a white hat hacking law may seem pointless or even an item that should be at the bottom of Moscow’s to-do list. But the Kremlin’s nearly finalized white hat hacker rules expose the profound challenges facing Russia’s tech sphere — and Moscow’s path to cement its future cyber power.

Prior to February 2022, when the Russian government launched its full-scale invasion of Ukraine, there was great entanglement between technology firms in Russia and the West. Despite U.S. government restrictions on the use of Kaspersky, the Russian antivirus software, Russian businesses had access to many technology and cybersecurity services from abroad — and vice versa.

That has changed dramatically since the war. Russia is greatly struggling with import substitution for Western software (like Microsoft Windows) and hardware (like semiconductors and smartphones) and in keeping its cyber talent in-country amid a persistent brain drain. Foreign companies continue to suspend or terminate tech services in Russia of their own volition.

The impacts of tech isolation, brain drain and sanctions have hit Russia’s cybersecurity sector, too, across everything from talent to hardware procurement. Companies providing defensive services to the private sector as well as offensive and defensive services to the state are feeling the impacts.

Moscow’s new white hat hacking law is an attempt to help reverse the tide. At Russia’s largest hacking conference last year, the minister of digital development, communications and mass media spoke at length about the importance of businesses investing in cybersecurity and in the state cultivating Russia’s cyber talent base.

“I don’t sleep peacefully” when thinking about Russian cybersecurity, he said.

In the year since, Russian tech firms like VK and cybersecurity giants like Positive Technologies have built out bug bounty programs for ethical hackers to report security flaws for payment. The nearly finalized bill seeks to legalize such activities against Russian companies.

Giving the green light for white hat hacking will enable the build-out of these bug bounty programs and efforts to bolster companies’ cyber defenses against foreign actors (including foreign governments). Such a law is one way the Russian government shapes the cyber ecosystem.

In certain areas and on certain issues, such as hacking Russians or targeting foreign governments without permission, the state sets relatively bright lines of acceptable and unacceptable behavior. Hackers know, often without it being said explicitly, that some activities are off limits. Legalizing white hat hacking does the opposite: It makes explicitly clear, in an environment riddled with uncertainty, that the government wants Russian hackers to find and plug holes in Russian networks.

After a formal review of parliament’s bill, the Russian government has recommended that it clearly include the legality of testing government networks (not currently in scope). It also recommended the bill constrain how much Russian white hat hackers could help organizations in countries committing “unfriendly” actions against Russia — in other words, don’t help Western companies.

With the state’s blessing and recommended changes, the bill has a clear and nearly certain path forward to passage.

On the strategic level, there are two sides to Russia’s so-called ethical hacking effort. It does not come from a position of strength; brain drain, Western sanctions, the inability to replace Western chips with domestic-made ones and other developments since February 2022 have hampered the Russian cybersecurity sector. Authorities modified remote work rules to let Russians support their old companies from abroad. At the same time, state entities cracked down on remote work. The creation of a white hat hacker law is, in some ways, a reflection of the Kremlin’s desperate attempt to boost the cybersecurity of Russian systems amid hacks from Ukraine and others, huge losses of talent and technology, and a need to get a wider swathe of Russians involved in cyber defense.

Simultaneously, Russia is looking to its traditional cyber power base: companies, universities, developers, cybercriminals, so-called patriotic hackers, intelligence contractors and more. Lots of countries have white hat hacking laws, and Russia’s measure is not some inherently nefarious security services plot. But the Russian state does pressure private sector developers to build hacking tools. And it pays cybercriminals to support intelligence operations while encouraging hackers to target foreign countries (among others) when it needs additional support, plausible deniability or even specific capabilities. It is a distributed, entrepreneurial and ingrained way of leveraging a wide spectrum of cyber talent to support the Kremlin.

On top of paying off cybercriminals or firing up patriotic hackers, the proposed law will encourage more citizens, independent developers, academics and even possibly criminals to get involved in bug bounty programs and testing Russian public and private sector networks.

The takeaway for the U.S. national security community is clear: Russian cyber power isn’t just military troops and intelligence operatives; it’s about the entire base of companies, criminals and white hat hackers, too.

Justin Sherman is a nonresident fellow at the Cyber Statecraft Initiative, a program with the Atlantic Council think tank. He is also the founder and CEO of the research and advisory firm Global Cyber Strategies, as well as an adjunct professor at Duke University.