Cyber is the New Weapons System of the Future

OPINION — “Right now, the offensive side has all the capability and we on the defensive side have got to run a new defense.” That was John Sherman, the Defense Department’s Acting Chief Information Officer (CIO) when asked what keeps him up at night during a House Armed Services Subcommittee hearing on Information Technology and Cybersecurity on Tuesday, June 29, 2021.

​

“We are going to run a new defense,” Sherman said, “and it’s going to involve making it about the data in the systems as well as artificial intelligence (AI); how we can bring that [AI] to bear so we don’t segment ourselves and have-to-have tens of thousands of defenders doing the work that a set of AI algorithms [can do].”

​

Sherman is no amateur on the subject. He was the Intelligence Community’s CIO where he introduced advancements in cloud computing, cybersecurity and interoperability capabilities. Before that, as a CIA Deputy Director, he built up the agency’s Open Source Enterprise.

​

That same day, June 29, Gen. Paul M. Nakasone, the director of the National Security Agency and head of U.S. Cyber Command described in specific terms the challenge ahead. Speaking virtually to the WEST 2021 Conference of the U.S. Naval Institute and Armed Forces Communications and Electronics Association, Nakasone said, “The scope of what we need to defend and protect has dramatically expanded.” He described the Defense Department’s information network as composed of 15,000 sub-networks, 3 million users, 4 million computers, 180,000 mobility devices, 84 different Defense Department-run internet access points, and 605 million website requests a day.

​

“We used to think about cyberspace as merely the need to protect these computer networks,” Nakasone said. “And while it’s a good place to start, the attack surface is much broader. We need new ways to keep it safe.” For example, he described the need to now protect Navy and Marine weapons systems and the ability to get them new software updates even when ships are out on months-long deployments.

​

Sherman told the House panel, “Cyber security is my top priority as CIO, along with modernization.” He said that while the fiscal 2022 budget lists $5.5 billion for cyber security, “there’s more in the budget that we ought to be able to reflect,” such as computer protection programs purchased from vendors. “Software capabilities and networks are also critical to our success,” he said. “[We] will release a software modernization strategy later this summer that builds on already developed guidance. We are dedicated to delivering resilient software capability at the speed of relevance.”

When asked about current risks, Sherman said, “The main priorities are all being answered in the President’s budget, but we do have some risk areas.” He singled out weapons systems and critical infrastructure, “recognizing that our adversaries are going to be coming after those two.” Moving beyond just the Department of Defense Information Network, which is under his charge, Sherman said, “Looking at weapons systems and elsewhere…because some of these programs were started in the [19]90s when cybersecurity was in a different place, we have a better way to come at this type of area where we’re carrying some risks that I want to do a better job of working with our colleagues in the Department,” mentioning Gen. Nakasone specifically.

​

Software capabilities and networks are also critical to our success.

—John Sherman, Acting Chief Information Officer (CIO) of the Defense Department

​

​

Toward the end of the hearing, Rep. Scott Franklin (R-Fla.), a veteran with 26 years as a Navy pilot, brought up the subject of accountability around cybersecurity. “In the physical domain,” Franklin said, “a commander would be held accountable if he or she lost equipment or mishandled it. To what extent do you believe commanders are held sufficiently accountable for not caring for DoD information systems in their care?”

​

Sherman described that responsibility as “an evolving area” which he, as a former Army officer, felt passionate about. “If you roll out of a motor pool without proper ammunition or fuel on your [Bradley] fighting vehicle, or push a ship off the dock etRcetera, you’re held accountable for that. Part of it is how we can ensure there is instrumentation and that the commanders and the ship drivers and the maneuver commanders know what’s going on – on their weapons platforms. So, if there’s going to be accountability on this, we’ve got to be able to monitor what exactly is going on there.”

​

Sherman said the subject is being looked at. “We have brought this up to our leadership and have some work to do on it,” he added.

​

“I agree,” Franklin said, “From a Navy standpoint, it’s always been known that the captain is ultimately responsible. It doesn’t matter if he or she is on the bridge if the ship goes aground. You’re relieved of command and, at some point, we’re going to have to understand that the potential damage from cyber intrusions are going to be just as serious as those.”