The Pentagon’s chief weapons tester wants to shift the conversation from cyber hygiene to “cyber survivability.”
Speaking on the Monday edition of The Daily Scoop Podcast, Nickolas Guertin, the Department of Defense’s director of operational test and evaluation, said that many organizations within the DOD are still not compliant with standards to harden their systems against internal and external cyber threats.
“There’s so many programs out there that are underperforming in this area, and they can do a lot with not that much effort to improve the overall department’s posture in cyber survivability,” he said.
Guertin said these are very achievable requirements, adding his organization is going to “hold the line” and say, “If you can’t do this level of cyber survivability, then when you show up to the war fight, you are not doing the warfighter any good because they might be exposed and weapon systems might not work the way we need them to. So you have to meet that barrier.”
He said shifting from a mindset of cyber hygiene to survivability could be one way to get the point across better to commanders and other senior leaders.
Pointing to a conversation he had with the deputy secretary of defense, he recalled a Marine Corps general saying personnel can’t get excited about cyber hygiene.
“We need to get the warfighters excited, and they’re all excited about surviving,” Guertin said. “We’re elevating the visibility, changing the discussion, but not really changing the requirements there. Most of them are not that hard to meet.”
Some of the standards organizations have to meet are simple housekeeping items such as making sure that systems are reasonably secured against insider threats. Others involve ensuring software is up to date and managed and that organizations look at their vulnerabilities relative to their software bill of materials.
“There is just some general practices that are not being adhered to coherently across the joint force and we need to bring that visibility so we can have some transparency and change the game,” he said. “I think some of the work that the department is doing under the auspices of zero trust, for instance, how do we think about weapons systems that can fight through a cyberattack? I mean, the opponents are persistent and omnipresent and you can’t pretend like you’re not going to get impacted by that machine that’s out there that’s trying to get at our systems.”