Internal DoD Effort Focuses on Individual Cybersecurity Responsibility
By Cheryl Pellerin
WASHINGTON, October 14, 2015 — The Defense Department recently announced an effort to help individuals throughout the department do their part to protect the DoD Information Networks, or DoDIN. A letter to the department signed by Defense Secretary Ash Carter and Army Gen. Martin E. Dempsey, who recently retired as the chairman of the Joint Chiefs of Staff, introduced the DoD Cybersecurity Culture Compliance Initiative, or DC3I, and outlined its principles and timeline.
“Each of us, as network users and providers, has an individual responsibility to protect the [DoDIN],” the leaders wrote in the letter. “Nearly all past successful network penetrations,” they continued, “can be traced to one or more human errors that allowed the adversary to gain access to, and in some cases exploit, mission-critical information.”
The DC3I document outlines how the department will improve “individual human performance and accountability in mutual support of the DoD Cyber Strategy” released in April, the letter said.
Everyone is an Operator
Those who will benefit from the training include everyone who is part of the DoD cyber enterprise, including leaders, service providers, cyber warriors and general users. As Cybercom commander Navy Adm. Mike Rogers said in testimony Sept. 29 before the House Armed Services Committee, “Everyone who uses a keyboard is an operator.”
The DC3I establishes five operational excellence principles that will be fundamental to the DoD cyber enterprise — integrity, level of knowledge, procedural compliance, formality and backup, and a questioning attitude, the memo said.
The principles borrow from proven initiatives in other high-risk endeavors that inculcate high levels of personnel reliability into daily operations, the letter said. “The DC3I will take a systems approach to education and training, scheduled and spot inspections, periodic and episodic reporting, and targeted investments that embrace mission-driven cybersecurity,” Carter and Dempsey wrote.
“The initiative makes clear that the department is willing to accept some inconvenience to enhance our security posture,” they added. As it leads the DC3I implementation, Cybercom will provide quarterly updates to Deputy Defense Secretary Bob Work and the vice chairman of the Joint Chiefs of Staff.
DoD Chief Information Officer Terry Halvorsen said his office is working with the support of those at the highest levels of the department to create a cyber culture and advance cyber discipline through leadership, accountability and transparency.
“To better measure cyber hygiene and cyber basics, DoD CIO and Cyber Command prioritized a list of the most important cyber hygiene efforts,” Halvorsen said, adding that these must be done well everywhere in DoD to eliminate cyber vulnerabilities that can put missions at risk.
The efforts include things like configuring all computers to the DoD security standard, Halvorsen said, and ensuring that every computer is defended by an operational organization and that nothing in DoD’s global infrastructure falls through operational cracks.
The CIO said that other cyber hygiene efforts include “eliminating the use of passwords by all system administrators and replacing passwords with the cryptographic identity credentials issued by the DoD Public Key Infrastructure.”