SAN FRANCISCO — When Congress passed legislation in 2020 mandating the creation of principal cyber advisor (PCA) roles throughout each of the service branches, they did so with an eye towards centralizing and coordinating planning and funding for cyber operations across the military.
One of the ultimate goals was to help the Defense Department speak with a unified voice while interacting with Congress and help each branch see “between the gaps and the seams and the no man's land and see what's being missed,” as then-Army principal cyber advisor Terry Mitchell told FCW in 2021.
Flash forward two years and the experience has been eye opening for some of those who have filled the role since. At the RSA 2023 Conference in San Francisco, a trio of military cyber advisors detailed some of the lessons learned as they’ve blended into branch operations and weighed in on the biggest myths they’ve encountered in their new role.
“I think the PCAs, we’re all in our collectively third year of the integration of this, so think of startups in an organization like the Department of Defense being mandated by Congress saying, ‘Hey, we are now going to have principal cyber advisors in each of your departments.’ There’s some growing pains associated with that,” said Chris Cleary, PCA for the Department of the Navy.
Fixing cyber’s “branding problem”
For Wanda Jones-Heath, who spent eight years as chief information security officer (CISO) and deputy CISO for the Air Force before taking over as branch PCA in 2020, the transition from a job where most of her interactions were with other cybersecurity professionals to a role where she was primarily advising and interacting with non-cyber military leaders.
The experience has imparted a key lesson in communication: namely that information security personnel tend to excel at talking to each other but often struggle to translate those conversations outside their bubble about the value add of their field to military operations.
Much of her time has been spent “having a lot of conversations with our non-cyber stakeholders [and operators], understanding their mission, what they think they need, their requirements, what they think about the community at large and, yes, we may have a branding problem because we talk to each other very well, [but] being able to talk to non-cyber people makes a difference,” said Jones-Heath.
Cleary expanded on that point, saying the cyber domain remains a relatively new concept in DoD circles. While it’s been less than 20 years since DoD classified cyberspace as a domain of war, its proponents must regularly compete for time and attention with other, more established domains that have been taught at war colleges and executed on the battlefield for generations.
But real world examples — like Russia hacking satellite provider ViaSat in an effort to jam Ukrainian communications at the outset of their invasion last year — demonstrate that the domain is quickly becoming more relevant on the battlefield (even if Moscow’s record of successfully leveraging cyber operations during the war has been spotty, at best).
Still, one of the key challenges of the job is getting stakeholders outside of cybersecurity conferences like RSA, who aren’t ensconced in the information security community, to “understand that almost everything they do within the Department of Defense is underpinned by this [discipline] in one way, shape or form.”
“The story that we try to get out is not as much to [audiences like RSA], but how do PCAs sort of evangelize within the rest of the Navy that has been doing combined arms kinetic warfighting — in some instances for hundreds of years — that are trying to envision how this domain of warfare can be leveraged to enable what they do, or at least appreciate how it supports what they do,” said Cleary.
People matter more than tech
“People, process and technology” is a mantra that is repeatedly heard in cybersecurity circles, reflecting how many core cybersecurity problems are not solved by a silver bullet or the latest buzzword technology, but rather by having the right people in place with the right authorities to get the job done.
To that end, a Government Accountability Office report last year found that many of the service branches weren’t positioned to retain top cyber talent that they trained. Army officials said in June 2022 that they planned to double the size of their cyber workforce over the next five years, but also said that they would likely miss recruitment goals for the year.
It’s not a new concept, but for Michael Sulmeyer, life in the massive bureaucracies of DoD and the component service branches drives home the reality behind the phrase.
“It is obvious that our field here is one that places a premium on understanding technology, but increasingly the more time I spend in the service with the Army, I’m seeing that without the human, without the people, the technology does not get used as good as it could be or should be,” said Sulmeyer.
Good cybersecurity is also about more than having the budget for expensive solutions and tech. Smarter use of the existing tools at your disposal can make a big difference, and if your organization really does need a particular tool or product, investing in an ounce of prevention is usually cheaper than a pound of remediation and recovery.
“There’s still a bit of intimidation on cost, there’s still a lot of [thinking] that ‘Well, to be cyber secure is going to cost so much more.’ Yes, there’s probably some sort of bill to be paid at some point, but configuration changes can actually do a lot to make an existing asset more secure,” he said. “Also, you’re going to pay anyway … when you get hit, or when the information or your intellectual property and proprietary data is stolen.”
DoD leaders really do "get" cyber
Often, bad or incoherent cyber policy at an organization can be traced back to leaders who don’t understand the field or the nuances of how technology works and interacts with the mission. Often those concerns are well founded, particularly in the military.
An open letter titled “Fix Our Computers” by Michael Kanaan, director of operations for the Air Force Artificial Intelligence Accelerator, went viral last year for channeling the immense frustration among rank-and-file members of the military regarding the porous state of the technology they — and the broader DoD mission — relies on.
It included lines like “Tanium battling McAfee for scans all day takes up 40% of the processes inside the machine. Fix our computers,” and “Making computers so useless that nobody can hack them is not a strategy (yet they hack them anyway). Fix our computers.”
While many of those problems continue to endure today, Sulmeyer said it’s no longer accurate to claim DoD leaders broadly don’t “get” cybersecurity or its importance to military operations and success.
“I’d say the senior leaders I work with today have been in repeat tours, in high positions of responsibility where they know a lot about the details of our field. That is really impressive because … when they started their career, it’s not like they came up as a cyber technician or a cryptologic warfare officer in the Navy, but when you look at the leading generals in the Army in their background, it’s fascinating to see [how] they’ve gotten senior level exposure to these issues.”