A senior official shed light on progress the branch is making in its modernization pursuits.
The U.S. Army is embarking on a deep, digital transformation that is enabling fresh access to commercial cloud offerings and more strategic and secure applications of technology and data.
And Maj. Gen. Matt Easley has had a front seat view to that military-driving modernization.
“Army Vantage [an Army-wide data management program and platform,] is now being used by over 35,000 people worldwide to assist decision-making across Army echelons and is providing curated, authoritative data, dashboards, common operating pictures and custom tools for analysis,” he recently explained.
After serving for a couple of years as the director of the Army’s Artificial Intelligence Task Force, Easley was named as the branch’s director of cybersecurity and chief information security officer in mid-2020. Recently, he moved on from that role to serve as the deputy principal information operations adviser to the Defense secretary, within the office of the undersecretary for policy.
During his final days as cybersecurity chief, Easley briefed Nextgov over email regarding his time leading the office, and his expectations for the Army’s future.
NG: How would you characterize your leadership style as CISO and Cybersecurity director, and what kind of culture do you try to create to best meet mission demand?
Easley: Being the CISO of one of the largest federal agencies has really called me to use multiple leadership styles. The U.S. Army’s network, with more than a million users and a million endpoints, requires situationally dependent leadership philosophies. Foremost is transformational leadership. The cybersecurity landscape is evolving fast. New technologies are improving our information systems—everything from cloud to software-defined networking. As the internet connects more of our work environments, our homes and infrastructure, our attack surface is increasing and our cybersecurity solutions have to keep pace. Incremental change to highly manual cybersecurity processes won’t be sufficient to protect us against highly automated attacks. We have to transform our processes, technologies, and workforce to secure this new environment.
At other times, I use a coaching style, especially to help my staff work through novel problems or to mentor rising soldiers and civilians. Finally, I hate to admit it, but I periodically have to use a bureaucratic style. Managing the cyber hygiene of all our information systems is required by federal law and an efficient, detailed-oriented, structured system of reporting is the only way we can really see the cyber landscape across thousands of systems.
For the Army CIO’s Cybersecurity directorate, I’m really trying to encourage a learning culture. As technology and cybersecurity paradigms change quickly, everyone in this space has to embrace lifelong learning.
NG: Can you highlight some of the work the Army is doing to develop, support and evolve hybrid cloud environments? And how does this fit into the Defense Department’s broader cloud-centered efforts?
Easley: Since we are a global Army with a wide and complex mission across multiple business verticals, from managing people, to hardware supply chains, to fighting wars, we know that we need a combination of multiple commercial public cloud environments supporting Internet as a Service/Platform as a Service /Software as a Service offerings, as well as private, on-premise cloud environments supporting our soldiers outside the continental United States and within the tactical domain. The Army has been employing a model for how we buy, secure and build cloud services for over two years now and each of those components has been designed to support a multi- and hybrid-cloud mission. A lot of what we learned with how we buy multi-cloud and how we have been securing public multi-cloud offerings [is] within cARMY, the Army's enterprise cloud environment that is helping inform how the Defense Information Systems Agency wants to structure Joint Warfare Cloud Capability and shape DOD policy around impact levels and distributed architectures.
As we expand the cARMY footprint into the overseas and tactical domains, we are collaborating across the DOD around common needs of physical spaces for hosting cloud infrastructure in private, on-premise locations and commercial transport requirements, as we collectively experiment with operational use cases and share those lessons learned. We are also partnering on common design patterns of infrastructure that enable enterprise and war-fighting capabilities to be deployed seamlessly between public and private cloud environments with little to no reconfiguration needed.
NG: Can you provide a status update, maybe describe the evolution of tech and processes for allowing personnel to communicate at higher levels of classification and effectively in remote environments?
Easley: For communicating at higher levels of classification, the Army relies upon approved solutions from the National Security Agency. We are really looking forward to expand[ing] use of their commercial solutions for classified programs.
NG: What are some of the ways the Army is securely using and applying data, right now, as a strategic asset?
Easley: The Army Digital Transformation Strategy outlines multiple initiatives to ensure that we are leveraging data for accurate and efficient decision making, from Army senior leaders at headquarters to soldiers at the tactical edge. For example, the Army will implement business intelligence protocols to prioritize, mature and scale our data management efforts to better enable access to large datasets.
In addition, we’ve made tremendous progress with Army Vantage, an Army-wide data management program and platform. Army Vantage is now being used by over 35,000 people worldwide to assist decision-making across Army echelons and is providing curated, authoritative data, dashboards, common operating pictures and custom tools for analysis. We’re also planning to establish standard accredited toolsets for artificial intelligence, robotic process automation and machine learning, as well as an enterprise data lake in Army’s cloud for use by all mission areas. Project Convergence and other defender series will continue to prototype and test the ability to leverage artificial intelligence and machine learning. These tools and efforts aim to help us extract quicker and more complex insights from the massive amount of data in our networks, systems and weapons.
NG: What are some of the major challenges confronted by defense entities as they work to implement artificial intelligence-enabled technology, enterprise-wide?
Easley: Two big challenges to implementing AI-enabled technologies include data and digital ecosystems. The world is pushing AI and machine learning systems because they can provide near-expert level recommendations in a wide variety of domains, from analyzing trends in time-series data to image detection and recognition. But to train and develop these systems requires lots of data, and to make these systems more adaptive and accurate, this data needs to be clean, standardized and timely. To get that data to a development environment to build, test, secure and deploy these algorithms, it requires a cloud-based digital ecosystem. This is one of the key points of the Army Digital Transformation Strategy and why it’s so important to support the efforts of the Army’s cloud: cARMY.
NG: The Army has a couple of responsibilities under President Joe Biden’s recent executive order on improving the nation’s cybersecurity. Please discuss those, and fill us in on any progress y’all have made so far.
Easley: The White House’s executive order on “Improving our Nation’s Cybersecurity” has two focus areas for every federal agency. The first is to continue pushing migration efforts to use cloud technology for our information systems. For the Army, it’s critical that we push systems to cARMY, the Army cloud ecosystem, so that cybersecurity professionals and our cyber defenders from Army Cyber Command have one, well-governed ecosystem to secure and defend. Without a single ecosystem, the Army will have to manage, secure and defend a plethora of disparate systems, which increases our attack surface and the complexity of our reporting system, makes data less accessible and decreases our cybersecurity.
The other key area is to develop plans and policies to implement a zero trust cybersecurity architecture. Zero trust is not a single widget that you can go out and buy. Instead, it is a cybersecurity paradigm to integrate a wide range of IT, data and security technologies into a more cohesive and robust system of systems. Zero trust is also a tiered approach to cybersecurity so that you can use stronger protective measures for more critical systems and data. The Army is already well along its zero trust path, developing the foundational piece to enable more robust zero trust capabilities in the future. We continue to modernize our identity, credential and access management system so we can have strong and more nuanced trust relationships between users, data and systems. We are implementing comply-to-connect to ensure each endpoint is properly configured before it is allowed to connect. If it is not, automated solutions correct its security posture. And this is only two examples. The DOD’s framework has seven pillars and the Army continues to access its systems for compliance against this framework.
NG: How are you handling guiding people and military components on the use of encryption? Cybersecurity agencies and officials, for example, advocate the use of end-to-end encryption but note that it will not be possible for some agencies and departments (based on the need to preserve/maintain access to certain data for law enforcement/intelligence types). How is this balance particularly complicated by use of the cloud, and how are you approaching it?
Easley: Federal law is very clear on mandating the use of encryption for protecting controlled unclassified information across the government. This applies to both data at rest and data in transit. The federal government already has strong programs to enforce this through our risk management processes both internal to the DOD and in the defense industrial base.
End-to-end encryption is possible both in the cloud and in interagency communications, but is only possible with enterprise-level identity and credential access management solutions. The key component to this is the federal government’s public key infrastructure. This allows us to tie the trusted identity of our workforce with encryption certificates. The cloud can actually increase this interoperability with its ability to create a virtual workspace on mobile devices so that the information is maintained in the cloud.
NG: Based on the previous two years, what are some lessons learned that you'd like to share with your Defense colleagues or other agencies?
Easley: The pandemic has shown us the critical need for our enterprise systems to be available to access anywhere. From our office, from our home, from a training location or from a forward-deployed location. We cannot continue to have our tactical “warfighting” IT infrastructure and then a separate “enterprise” IT infrastructure. The zero trust paradigm will allow us to make access anywhere a reality.
NG: What is something you are excited to work toward or accomplish in 2022?
Easley: It is really exciting to see the number of organizations pushing cARMY to develop more capabilities for the enterprise. This runs the gamut from just providing cloud-based infrastructure to software as a service. Teams are using cARMY now for project management, as a software repository and as our DevSecOps environment. The Army Futures Command Software Factory is using cARMY to train our new cohorts of Soldier developers as well as for Soldier-centered software development.
NG: Is there anything else worth noting, or that you’d like to add?
Easley: As part of the Army’s Digital Transformation Strategy, the Army is continuing to assess its digital workforce for future capabilities. We just completed a zero-based review of our cyber-IT and our cybersecurity workforce at two major Army organizations: Army Cyber Command and Army Communications Electronics Command. That study found a good match between their current requirements and the workforce. We still need to assess future needs especially in the areas of artificial intelligence, data analyst and cloud computing and will push to get these jobs formalized in the DOD’s Cyber Workforce Framework.