DOD Deputy CIO: 'Cybersecurity should vary by mission'
Richard Hale says everyone playing by one set of rules inhibits innovation, including migration to a cloud and development of a mobile environment.
No "one size fits all" at the Pentagon.
The different levels of mission risk at the Defense Department have posed a major challenge to building out DOD's cybersecurity posture. Now, according to Deputy CIO Richard Hale, the department is working to make distinctions on the varying levels of risk by mission in order to make better decisions.
"Cybersecurity should vary by mission," Hale said in his keynote at the MeriTalk Cloud Computing Brainstorm event in Washington, D.C., on Sept. 10. "I shouldn’t spend as much money on morale and welfare website as I do on nuclear command control, it doesn’t make any sense."
Everyone playing by one set of rules inhibits all kinds of things — especially movement to a cloud and mobile environment, Hale said.
This became evident in DOD's work following the 2010 earthquake in Haiti, Hale said. DOD had to team up very quickly with Cuba and China, and the joint effort turned out to be very difficult because of the inflexibility of DOD network.
"Right now we are trying to step back from this one-size-fits-all model and recognize the reality that different missions have different risk tolerances, and that we can’t imagine them all," Hale said.
Hale said DOD is trying to rework its computing and wide area network infrastructure in order to have a "more sophisticated notion of zoning by mission risk."
That involves cleaning up the server computing side of things and distinguishing it from the user computing side. Without achieving that, Hale said, DOD will never be able to go fully mobile.
Moving to a Joint Information Environment would also position DOD to take more advantage of mobile and cloud, according to Hale. Aside from the cybersecurity and cost savings benefits that JIE offers, it would also position DOD to better embrace innovations being offered in the commercial technology world.
One of the complexities DOD is trying to work out through a few pilot projects is how it is going to work with classification restrictions to make it easier to share information between external centers.
"One of the reasons we’ll be a little cautious in putting more and more sensitive information and more important missions into cloud is this business of puzzling out how we're going to do shared cyber defense and figuring out how we’re going to trust certain cloud providers to do that," Hale said.
The next step for DOD will be to assess the results of the pilots and reexamine much of what it did in the early stages of moving to the cloud, which includes evaluating its value to the mission. After all is said and done, Hale said, people can expect "DOD will have much more use of cloud."