WASHINGTON, October 29, 2015 —
The Defense Department needs to change its cyber culture to protect its networks from the relentless threat from hackers, the department's chief information officer said today.
"I get a question all the time: 'What keeps me awake?' I think most people expect me to answer it's security or it's dollars. It's neither of those things. It's culture," Terry Halvorsen told a reporters breakfast here hosted by The Christian Science Monitor.
The Internet is an "important part of our business, an important part of our culture, but you have to go there with the right rules and right understandings," he said.
DoD has to establish a "culture of cyber discipline," he said, because the attacks against the agency networks are constant. "There’s not a time when I’m not being attacked somewhere in the world," he said.
With hackers generally out of the public's view, he explained, "I think it's easy for people to forget that there are bad actors out there."
Understanding Cyber Economics
Good cyber defenses include a combination of tools, culture, and training and education, Halvorsen said. "It's really also educating leaders at every level what their responsibilities are and what they need to know," he added.
The Defense Department needs to change its cyber economics as well, Halvorsen said.
"It is much less expensive for someone to attack us than it is for us to defend, and we got to turn that around,” he explained. “Today, we are really on the wrong side of that piece."
Cyber is a relatively new warfare, he noted. As with any domain, such as aviation or nuclear, it takes time to build and secure, he said. A big difference in cyber, he told the reporters, is that it moves faster than any other warfare area.
"That's a challenge," he said. "We're in the midst of having to make some major culture changes."
DoD is working to automate as much of its cyber security as it can, to get to where the defenses “self-learn” and take actions to stop or quarantine an attack, he said.
An enterprise culture is also needed, the Pentagon’s CIO said. "Cyber is forcing us to think different about that," he added. "Unlike other areas, cyber truly is enterprise, because it's connected."
For the first time, the Defense Department is putting civilians in private information technology companies for six months, and private IT company personnel are doing tours at DoD, Halvorsen said. During World War II it was not uncommon, he said, for people to move back and forth between private and government jobs, and to have industry partners working on government projects.
The government could benefit greatly from a partnership with private IT firms, he said. Smaller companies could partner up with larger firms to help with scalability for government projects, the CIO noted.
A constant issue Halvorsen said he faces is that people will present him with a computer technology that has been tested for 25,000 people. "They get mad when I say, 'Well that's good. Now you have to test it for about a million, so I can know that it will scale.'"
(Follow Lisa Ferdinando on Twitter: @FerdinandoDoD)