IT Modernization is Part of DOD’s Cybersecurity Package

For the Pentagon, modernization and cybersecurity are one package.

There’s something to be said about the connection between outdated technology and cybersecurity concerns in government. For the Defense Department, updating IT is part of an overall initiative to boost security and strengthen cyberspace.

Specifically, DOD’s Command, Control, Communications and Computers and Information Infrastructure Capabilities , or C4&IIC, a branch within DOD Chief Information Officer's Office, executes war-fighting missions for the department. Brig. Gen. Kevin Kennedy, the principal director to the C4&IIC deputy CIO, said in terms of vulnerabilities, the majority of C4IIC systems were fielded in an environment that is not the same one used today.  

“Most of the modernization schedules for our weapon systems that we’re going to execute … are on update rates that don’t keep up with the pace of IT update rates,” Kennedy said in a panel at the Nextgov Tech Refresh event in Washington, D.C., on June 29.

For example, C4&IIC needs to rethink how it updates embedded IT systems and platforms at a rate that can keep systems viable and secure. To begin, Kennedy will prioritize the systems that need more resources, and set aside the ones that can accept more risk.

Being risk-avoidance across the department and across all capabilities is unattainable, but figuring out how to apply risk mitigation and continuous monitoring in DOD’s platforms is key to reacting to adversaries. According to Kennedy, there are three ways DOD plans to do this:

  1. Basic cyber hygiene foundation: Making sure the department is conducting good cyber practices. Currently, DOD is doing this with its Cybersecurity Scorecard, which tracks 11 key factors like proper operating systems and two-factor authentication.

  2. IT modernization: This also means system hardening and resilience. As the department is fielding systems, Kennedy is focused on what he can do to the ones fielded and the ones in development.

  3. Active defense: C4&IIC plans to use its cyber protection teams and explore how machine learning and advances in artificial intelligence can help DOD be more reactive and supportive to its war-fighting and operations.

The Modernizing Government Technology Act, which was passed by the House and is up for Senate review, intends to make the transition to new technology easier.

“Part of what that does is gives agency CIOs, such as Kevin, the flexibility to take the funds that were otherwise set aside in those legacy systems and instead use that to migrate,” said Austin Agrella, legislative assistant to Rep.Will Hurd, in the same Nextgov panel. Hurd is the sponsor for the MGT Act.

Agrella said this migration can address security concerns. Systems that haven’t been supported by the vendor in 10 to 15 years are a security risk. Being able to modernize and migrate to the cloud or to newer, more advanced systems can help secure DOD’s cyber infrastructure.

However, as Kennedy noted, modernizing IT and updating software is only part of a complete cybersecurity package. So along with updated software and good IT and patch management, agencies need tools that constantly find vulnerabilities, monitor cyber activities and detect threats.

Kennedy thinks about the cyberspace as a spectrum. On one side are the adversaries and the other is the nation-state.

“Yes, some of the modernization, cyber hygiene, that helps on this side of the spectrum,” he said, but it won’t protect them all the way through. When culture, policy and regulations are in place, agencies can better choose systems that will bring innovation and stronger cybersecurity to the infrastructure.